Public bug reported:
Binary package hint: apt
This is related to all versions before Hardy (include). I haven't tested
this on Intrepid so I'm not sure about those versions after Hardy.
According to apt_preferences manpage, the target release can be set on
the apt-get command line or in the APT configuration file
/etc/apt/apt.conf, and "APT::Default-Release "stable";" is given out as
an example. This is a very common and popular practice used in Debian
community to set the default release and using apt-pin, but doing this
in Ubuntu leads to serious security impact with no obvious warning.
After setting APT::Default-Release to "hardy", which is the "Suite" name
for main hardy source, no security fixes nor updates would be installed
unless their priorities are also set explicitly in apt_preferences. This
is because that in Ubuntu's world, security fixes are from "hardy-
security" source and other updates are from "hardy-updates" source,
which bear different "Suite" from the main source. Setting APT::Default-
Release rises the priority of packages from main source to 990, but
doesn't cover packages from hardy-security and hardy-updates, so the
latter are ignored since their packages now has lower priority (priority
500 only) than those old ones in main source (990).
I set APT::Default-Release to "hardy" on Sep this year until I found
this problem today. Removed that setting and I'm surprised to found that
I can install 46 security fixes and updates accumulated. Which is pretty
sad to me that got known I haven't got security fixes for more than 2
months.
This is a radical deviation from the Debian practice. In Debian all
security fixes and updates bear the same "Suite" (etch or lenny) so
setting APT::Default-Release to "etch" covers all security fixes and
updates.
I think it's unlikely that Ubuntu changes the organization of it's
source, so at least a fix to this problem is patching the
apt_preferences manpage, alerting people not to use APT::Default-Release
like they have used this in Debian and the reason and the following
impacts.
Version information of my apt from Hardy:
Architecture: i386
Version: 0.7.9ubuntu17.1
Thanks!
** Affects: apt (Ubuntu)
Importance: Undecided
Status: New
--
Setting APT::Default-Release blocks security fix and updates
https://bugs.launchpad.net/bugs/295448
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
