Control: severity -1 normal I'm downgrading the severity since my initial thinking is that this is somewhat of a feature request and also a description of unexpected behavior but not necessarily wrong behavior from how gnome-software is designed to work. Also, Debian appears to be changing the autoremoval rules which makes RC level bugs have far-reaching effects.
On Mon, Oct 13, 2025 at 2:17 AM Raphaël Halimi <[email protected]> wrote: > The problem was that this package has a versioned dependency against > Firefox ESR. We do this in order to control when our users will switch > to a new ESR version. I was confident that this would hold Firefox ESR > upgrades until we decided to allow them, since `unattended-upgrades` is > not supposed to remove packages, but it seems that GNOME Software > doesn't care about that: to install the new version of `firefox-esr` > (presented as a security update, OK, but still), it carelessly removed > my package (and one of its reverse dependencies), as shown in the logs: Maybe apt-mark hold would have worked? > Note: of course our users don't have administrator rights on their > machines and normally can't install packages by themselves with tools > like APT or GNOME software. This was an automatic upgrade seemingly > initiated by GNOME Software and handled by PackageKit, the user just > accepted what the UI suggested. If you don't want your users installing apps, it makes sense to me for you to remove gnome-software like you did. Maybe you need to also lock down PackageKit with a PolicyKit rule. > In the meantime I created an equiv package to remove `gnome-software` > from all machines (since anyway users are not allowed to install > packages with it), and let `unattended-upgrades` manage upgrades. Maybe > `gnome-software` should not be a hard dependency of `gnome-core`, but > merely a recommends. gnome-core is generally just mirroring the package choices of GNOME upstream. There have been some requests over the years to create a more minimal GNOME metapackage for Debian, but it hasn't been done yet. You can follow https://bugs.debian.org/1089002 for this request. Thank you, Jeremy Bícha
