Skip to content

Instantly share code, notes, and snippets.

@khimaros
Last active November 15, 2024 08:29
Show Gist options
  • Save khimaros/21db936fa7885360f7bfe7f116b78daf to your computer and use it in GitHub Desktop.
Save khimaros/21db936fa7885360f7bfe7f116b78daf to your computer and use it in GitHub Desktop.
debian testing with automatic security updates from unstable
APT::Default-Release "testing";
APT::Update::Post-Invoke { "/usr/sbin/debsecan-apt-priority"; };

overview

WARNING: these commands can be very disruptive. review each of the files in this gist and on the filesystem which they will replace before executing the commands below.

when you run apt update, this script will be executed automatically. for each vulnerable package in testing which has been fixed in unstable, it will create a priority 990 pin for the unstable package.

background

from https://wiki.debian.org/DebianTesting:

It is a good idea to install security updates from unstable since they take extra time to reach testing and the security team only releases updates to unstable. If you have unstable in your apt sources but pinned lower than testing, you can automatically add temporary pinning for packages with security issues fixed in unstable using the output of debsecan.

prerequisites

these scripts assume that you are running debian testing and have enabled the unstable repositories but pinned at a lower priority by default.

this can usually be achieved by running the command below. USE WITH CAUTION and check that the output of apt update && apt full-upgrade --autoremove --purge looks reasonable before proceeding.

curl https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/0ddac34c0b7904113af9b1a3d81eae6c5fcd0c32/configure-sources.sh | sh

apt update && apt full-upgrade --autoremove --purge

installation

the command below will change your sources.list to debian testing, enable the unstable repositories pinned at a lower priority and configure debsecan to run with each apt update.

execute the following commands as root to install/enable:

curl https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/0ddac34c0b7904113af9b1a3d81eae6c5fcd0c32/enable-unstable-updates.sh | sh

apt update && apt full-upgrade --autoremove --purge

you can view the list of packages which will be installed from unstable in /var/lib/debsecan/apt_preferences

special cases

i recommend always running chromium and firefox from unstable.

this can be achieved with the following command:

curl -o /etc/apt/preferences.d/unstable-packages https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/0ddac34c0b7904113af9b1a3d81eae6c5fcd0c32/unstable-packages

apt update && apt install -y chromium firefox

uninstallation

note: uninstalling will not downgrade packages to their testing versions. you will need to do this yourself or wait for the packages to catch up on their own (which should typically happen within a few weeks).

curl https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/0ddac34c0b7904113af9b1a3d81eae6c5fcd0c32/disable-unstable-updates.sh | sh
#!/bin/sh
set -ex
curl -o /etc/apt/apt.conf.d/00default-release https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/a5ac6edf206c440b489fd14e9bc0d61c0c146716/00default-release
curl -o /etc/apt/preferences.d/default-priority https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/a5ac6edf206c440b489fd14e9bc0d61c0c146716/default-priority
curl -o /etc/apt/sources.list https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/a5ac6edf206c440b489fd14e9bc0d61c0c146716/sources.list
#!/bin/sh
# this program will add APT pinning for packages that are fixed in
# unstable and not testing
#
# see https://bugs.debian.org/725934
set -e
echo "running debsecan check for issues fixed in unstable..." >&2
rm -f /var/lib/debsecan/apt_preferences.disabled
cat > /var/lib/debsecan/apt_preferences.disabled <<EOF
# pin packages with security issues fixed in unstable
# generated automatically on $(date) by $0
EOF
for pkg in $(debsecan --suite=sid --only-fixed | cut -d\ -f2 | sort -u) ; do
suite=unstable
case "$pkg" in
*-dbgsym)
suite=unstable-debug
;;
esac
echo "adding pin to suite $suite for package $pkg" >&2
cat <<EOF >> /var/lib/debsecan/apt_preferences.disabled
Package: $pkg
Pin: release a=$suite
Pin-Priority: 990
EOF
done
chmod 644 /var/lib/debsecan/apt_preferences.disabled
mv --force /var/lib/debsecan/apt_preferences.disabled /var/lib/debsecan/apt_preferences
Package: *
Pin: release a=unstable
Pin-Priority: 50
#!/bin/bash
set -ex
rm -f /etc/apt/preferences.d/unstable-security-packages
rm -f /etc/apt/apt.conf.d/99debsecan
apt update
#!/bin/bash
set -ex
apt install -y debsecan
curl -o /usr/sbin/debsecan-apt-priority https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/a5ac6edf206c440b489fd14e9bc0d61c0c146716/debsecan-apt-priority
curl -o /etc/apt/apt.conf.d/99debsecan https://gist.githubusercontent.com/khimaros/21db936fa7885360f7bfe7f116b78daf/raw/a5ac6edf206c440b489fd14e9bc0d61c0c146716/99debsecan
chmod 755 /usr/sbin/debsecan-apt-priority
ln -sf /var/lib/debsecan/apt_preferences /etc/apt/preferences.d/unstable-security-packages
deb http://deb.debian.org/debian/ testing main non-free contrib
deb-src http://deb.debian.org/debian/ testing main non-free contrib
deb http://security.debian.org/debian-security testing-security main contrib non-free
deb-src http://security.debian.org/debian-security testing-security main contrib non-free
deb http://deb.debian.org/debian/ unstable main non-free contrib
deb-src http://deb.debian.org/debian/ unstable main non-free contrib
Package: chromium chromium-sandbox chromium-common
Pin: release a=unstable
Pin-Priority: 990
Package: firefox libnss3 libnss3:i386 libnss3-dev
Pin: release a=unstable
Pin-Priority: 990
@khimaros
Copy link
Author

khimaros commented May 4, 2023

@crpb thanks for the suggestion, done!

@bilvapatra
Copy link

The link to enable-unstable-updates.sh used in the installation section points to a version of 99debsecan that still says Pre-Invoke rather than Post-Invoke.

@yknip0
Copy link

yknip0 commented Nov 9, 2023

The link to enable-unstable-updates.sh used in the installation section points to a version of 99debsecan that still says Pre-Invoke rather than Post-Invoke.

Still true today...
sed -i 's/Pre-/Post-/' /etc/apt/apt.conf.d/99debsecan

Thank you khimaros!

@Daniel15
Copy link

Thanks for this! Very useful.

@thunderbird-93
Copy link

very useful indeed. more people should know about this. best of the both worlds: relatively fresh packages yet quite stable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment