Package: unattended-upgrades
Version: 2.8
Severity: minor
Tags: patch
We have the backports repository configured on our servers, however it's pinned
to a priority of 100 to not install newer versions by default.
We also have kernel packages (linux-image.*) blacklisted for
unattended-upgrades.
apt would not (checked by apt policy) install the newer version from backports,
but unattended-upgrades sends an email each day with the information that a
package (linux-image-amd64) is on hold.
Looking at the code, this behavior happens, because unattended-upgrades assigns
each blacklisted package a priority of -32768 (NEVER_PIN) which overrides all
other apt pinning and also sets the priority of each and every version of this
package to the same number, regardless of its former priority.
Therefore, kept_package_excuse() will always find a better version in such
cases, regardless of pinning, as it compares the modified (NEVER_PIN)
priorities.
I have two proposals:
1) take the original priorities in account for finding newer versions, but this
will probably be quite a big rework
2) do not report blacklisted packages as kept / on hold, as there is currently
no way to discern whether the newer version is a candidate for installation
Here is a patch for option 2:
--- /usr/bin/unattended-upgrade 2021-02-19 13:11:42.000000000 +0100
+++ unattended-upgrade 2022-06-03 14:22:53.972635631 +0200
@@ -208,6 +208,8 @@
"dry-run mode."))
return kept_packages
for pkg in self:
+ if pkg.is_installed and pkg.installed.policy_priority == NEVER_PIN:
+ continue
better_version = self.find_better_version(pkg)
if better_version:
logging.info(self.kept_package_excuse(pkg._pkg,
Cheers
Volker
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.17.0-1-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages unattended-upgrades depends on:
ii debconf [debconf-2.0] 1.5.79
ii lsb-base 11.2
ii lsb-release 11.2
ii python3 3.9.8-1
ii python3-apt 2.3.0+b1
ii python3-dbus 1.2.18-3+b1
ii python3-distro-info 1.1
ii ucf 3.0043
ii xz-utils 5.2.5-2.1
Versions of packages unattended-upgrades recommends:
ii anacron 2.3-32
ii cron [cron-daemon] 3.0pl1-139
ii systemd-sysv 250.4-1
Versions of packages unattended-upgrades suggests:
pn bsd-mailx <none>
ii exim4-daemon-light [mail-transport-agent] 4.95-6
ii needrestart 3.6-1
ii powermgmt-base 1.36
ii python3-gi 3.42.1-1
-- debconf information:
* unattended-upgrades/enable_auto_updates: true
