Stefan Monnier wrote: > I noticed today that one of my machines was still running openssh > 1:9.2p1-2+deb12u1 rather than 1:9.2p1-2+deb12u2 even though it is > supposed to do its unattended-upgrades, so I tried a manual upgrade and > the result was still the same. > > Only after > > apt install openssh-server/stable-security > > did the machine get the new version :-( > > The `sources.list` files says: > > deb http://security.debian.org/ stable-security main > deb http://deb.debian.org/debian stable main > > and the `apt.conf` says: > > APT::Default-Release "stable"; > Aptitude::CmdLine::Show-Deps "true"; > APT::Periodic::Unattended-Upgrade "1"; > > Which I thought was the "normal" config (modulo the use of "stable" > instead of "bookworm") where the `stable-security` would automatically > take precedence when applicable. But it looks like the > `stable-security` repository is just not used at all! > > What am I missing?
https://wiki.debian.org/AptConfiguration#Be_careful_with_APT::Default-Release (quoted entirely) Maybe you have noticed examples like setting APT::Default-Release "stable"; or APT::Default-Release "bookworm";. It prevents installing security updates by apt upgrade, so avoid it. Instead of increasing priority of the current release, consider setting lower priority of added repositories through #apt_preferences (APT pinning). Since Debian 11 bullseye the security repository is labeled as stable-security and e.g. bookworm-security, so at least use regular expression matching all primary suites APT::Default-Release "/^bookworm(|-security|-updates)$/"; -dsr-
