Package: unattended-upgrades Version: 2.8 Severity: minor Tags: patch We have the backports repository configured on our servers, however it's pinned to a priority of 100 to not install newer versions by default. We also have kernel packages (linux-image.*) blacklisted for unattended-upgrades. apt would not (checked by apt policy) install the newer version from backports, but unattended-upgrades sends an email each day with the information that a package (linux-image-amd64) is on hold.
Looking at the code, this behavior happens, because unattended-upgrades assigns each blacklisted package a priority of -32768 (NEVER_PIN) which overrides all other apt pinning and also sets the priority of each and every version of this package to the same number, regardless of its former priority. Therefore, kept_package_excuse() will always find a better version in such cases, regardless of pinning, as it compares the modified (NEVER_PIN) priorities. I have two proposals: 1) take the original priorities in account for finding newer versions, but this will probably be quite a big rework 2) do not report blacklisted packages as kept / on hold, as there is currently no way to discern whether the newer version is a candidate for installation Here is a patch for option 2: --- /usr/bin/unattended-upgrade 2021-02-19 13:11:42.000000000 +0100 +++ unattended-upgrade 2022-06-03 14:22:53.972635631 +0200 @@ -208,6 +208,8 @@ "dry-run mode.")) return kept_packages for pkg in self: + if pkg.is_installed and pkg.installed.policy_priority == NEVER_PIN: + continue better_version = self.find_better_version(pkg) if better_version: logging.info(self.kept_package_excuse(pkg._pkg, Cheers Volker -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.17.0-1-amd64 (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages unattended-upgrades depends on: ii debconf [debconf-2.0] 1.5.79 ii lsb-base 11.2 ii lsb-release 11.2 ii python3 3.9.8-1 ii python3-apt 2.3.0+b1 ii python3-dbus 1.2.18-3+b1 ii python3-distro-info 1.1 ii ucf 3.0043 ii xz-utils 5.2.5-2.1 Versions of packages unattended-upgrades recommends: ii anacron 2.3-32 ii cron [cron-daemon] 3.0pl1-139 ii systemd-sysv 250.4-1 Versions of packages unattended-upgrades suggests: pn bsd-mailx <none> ii exim4-daemon-light [mail-transport-agent] 4.95-6 ii needrestart 3.6-1 ii powermgmt-base 1.36 ii python3-gi 3.42.1-1 -- debconf information: * unattended-upgrades/enable_auto_updates: true