mvo5 / unattended-upgrades

Automatic installation of security upgrades on apt based systems
GNU General Public License v2.0
285 stars 77 forks source link

checking if it is from an allowed origin and is not pinned down #322

Open Tealk opened 2 years ago

Tealk commented 2 years ago

Hello,

when i run unattended-upgrade -d i get a whole lot of packages where i get the statement Package xxx has a higher version available, checking if it is from an allowed origin and is not pinned down. Have I configured something incorrectly?

unattended-upgrade -d
Checking if system is running on battery is skipped. Please install powermgmt-base package to check power status and skip installing updates when the system is running on battery.
Starting unattended upgrades script
Allowed origins are: origin=Debian,codename=bullseye,label=Debian, origin=Debian,codename=bullseye,label=Debian-Security, origin=Debian,codename=bullseye-security,label=Debian-Security
Initial blacklist:
Initial whitelist (not strict):
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/download.docker.com_linux_debian_dists_bullseye_stable_binary-amd64_Packages'  a=bullseye,c=stable,v=,o=Docker,l=Docker CE arch='amd64' site='download.docker.com' IndexType='Debian Package Index' Size=67185 ID:12> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/ftp.debian.org_debian_dists_bullseye-backports_main_i18n_Translation-en'  a=bullseye-backports,c=main,v=,o=Debian Backports,l=Debian Backports arch='' site='ftp.debian.org' IndexType='Debian Translation Index' Size=1429230 ID:11> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/ftp.debian.org_debian_dists_bullseye-backports_main_binary-amd64_Packages'  a=bullseye-backports,c=main,v=,o=Debian Backports,l=Debian Backports arch='amd64' site='ftp.debian.org' IndexType='Debian Package Index' Size=1884855 ID:10> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/deb.debian.org_debian_dists_bullseye-updates_main_i18n_Translation-en'  a=stable-updates,c=main,v=11-updates,o=Debian,l=Debian arch='' site='deb.debian.org' IndexType='Debian Translation Index' Size=9252 ID:7> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/deb.debian.org_debian_dists_bullseye-updates_main_binary-amd64_Packages'  a=stable-updates,c=main,v=11-updates,o=Debian,l=Debian arch='amd64' site='deb.debian.org' IndexType='Debian Package Index' Size=9833 ID:6> with -32768 pin
Applying pinning: PkgFilePin(id=12, priority=-32768)
Applying pin -32768 to package_file: <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/download.docker.com_linux_debian_dists_bullseye_stable_binary-amd64_Packages'  a=bullseye,c=stable,v=,o=Docker,l=Docker CE arch='amd64' site='download.docker.com' IndexType='Debian Package Index' Size=67185 ID:12>
Applying pinning: PkgFilePin(id=11, priority=-32768)
Applying pin -32768 to package_file: <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/ftp.debian.org_debian_dists_bullseye-backports_main_i18n_Translation-en'  a=bullseye-backports,c=main,v=,o=Debian Backports,l=Debian Backports arch='' site='ftp.debian.org' IndexType='Debian Translation Index' Size=1429230 ID:11>
Applying pinning: PkgFilePin(id=10, priority=-32768)
Applying pin -32768 to package_file: <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/ftp.debian.org_debian_dists_bullseye-backports_main_binary-amd64_Packages'  a=bullseye-backports,c=main,v=,o=Debian Backports,l=Debian Backports arch='amd64' site='ftp.debian.org' IndexType='Debian Package Index' Size=1884855 ID:10>
Applying pinning: PkgFilePin(id=7, priority=-32768)
Applying pin -32768 to package_file: <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/deb.debian.org_debian_dists_bullseye-updates_main_i18n_Translation-en'  a=stable-updates,c=main,v=11-updates,o=Debian,l=Debian arch='' site='deb.debian.org' IndexType='Debian Translation Index' Size=9252 ID:7>
Applying pinning: PkgFilePin(id=6, priority=-32768)
Applying pin -32768 to package_file: <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/deb.debian.org_debian_dists_bullseye-updates_main_binary-amd64_Packages'  a=stable-updates,c=main,v=11-updates,o=Debian,l=Debian arch='amd64' site='deb.debian.org' IndexType='Debian Package Index' Size=9833 ID:6>
Using (^linux-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^kfreebsd-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^gnumach-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-modules-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-kernel-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^linux-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^kfreebsd-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^gnumach-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-modules-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-kernel-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$) regexp to find kernel packages
Using (^linux-.*-5\.10\.0\-14\-amd64$|^linux-.*-5\.10\.0\-14$|^kfreebsd-.*-5\.10\.0\-14\-amd64$|^kfreebsd-.*-5\.10\.0\-14$|^gnumach-.*-5\.10\.0\-14\-amd64$|^gnumach-.*-5\.10\.0\-14$|^.*-modules-5\.10\.0\-14\-amd64$|^.*-modules-5\.10\.0\-14$|^.*-kernel-5\.10\.0\-14\-amd64$|^.*-kernel-5\.10\.0\-14$|^linux-.*-5\.10\.0\-14\-amd64$|^linux-.*-5\.10\.0\-14$|^kfreebsd-.*-5\.10\.0\-14\-amd64$|^kfreebsd-.*-5\.10\.0\-14$|^gnumach-.*-5\.10\.0\-14\-amd64$|^gnumach-.*-5\.10\.0\-14$|^.*-modules-5\.10\.0\-14\-amd64$|^.*-modules-5\.10\.0\-14$|^.*-kernel-5\.10\.0\-14\-amd64$|^.*-kernel-5\.10\.0\-14$) regexp to find running kernel packages
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
Packages blacklist due to conffile prompts: []
No packages found that can be upgraded unattended and no pending auto-removals
Package curl has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package e2fsprogs has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package git has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package git-man has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package iproute2 has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package less has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package libbpf0 has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package libcom-err2 has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package libcurl3-gnutls has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package libcurl4 has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package libdeflate0 has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package libext2fs2 has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package libldap-2.4-2 has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package libldap-common has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package libnss-systemd has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package libpam-systemd has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package libss2 has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package libsystemd0 has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package libudev1 has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package linux-image-amd64 has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package logsave has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package man-db has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package open-vm-tools has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package rsyslog has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package systemd has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package systemd-sysv has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package systemd-timesyncd has a higher version available, checking if it is from an allowed origin and is not pinned down.
Package udev has a higher version available, checking if it is from an allowed origin and is not pinned down.
Extracting content from /var/log/unattended-upgrades/unattended-upgrades-dpkg.log since 2022-06-09 09:51:46

50unattended-upgrades

// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format "keyword=value,...".  A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line.  (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
// file, but several aliases are accepted.  The accepted keywords are:
//   a,archive,suite (eg, "stable")
//   c,component     (eg, "main", "contrib", "non-free")
//   l,label         (eg, "Debian", "Debian-Security")
//   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
//   n,codename      (eg, "jessie", "jessie-updates")
//     site          (eg, "http.debian.net")
// The available values on the system are printed by the command
// "apt-cache policy", and can be debugged by running
// "unattended-upgrades -d" and looking at the log file.
//
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
//   ${distro_id}            Installed origin.
//   ${distro_codename}      Installed codename (eg, "buster")
Unattended-Upgrade::Origins-Pattern {
        // Codename based matching:
        // This will follow the migration of a release through different
        // archives (e.g. from testing to stable and later oldstable).
        // Software will be the latest available for the named release,
        // but the Debian release itself will not be automatically upgraded.
//      "origin=Debian,codename=${distro_codename}-updates";
//      "origin=Debian,codename=${distro_codename}-proposed-updates";
        "origin=Debian,codename=${distro_codename},label=Debian";
        "origin=Debian,codename=${distro_codename},label=Debian-Security";
        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";

        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
//      "o=Debian,a=stable";
//      "o=Debian,a=stable-updates";
//      "o=Debian,a=proposed-updates";
//      "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
};

// Python regular expressions, matching packages to exclude from upgrading
Unattended-Upgrade::Package-Blacklist {
    // The following matches all packages starting with linux-
//  "linux-";

    // Use $ to explicitely define the end of a package name. Without
    // the $, "libc6" would match all of them.
//  "libc6$";
//  "libc6-dev$";
//  "libc6-i686$";

    // Special characters need escaping
//  "libstdc\+\+6$";

    // The following matches packages like xen-system-amd64, xen-utils-4.1,
    // xenstore-utils and libxenstore3.0
//  "(lib)?xen(store)?";

    // For more information about Python regular expressions, see
    // https://docs.python.org/3/howto/regex.html
};

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run 
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";

// Install all updates when the machine is shutting down
// instead of doing it in the background while the machine is running.
// This will (obviously) make shutdown slower.
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
// This allows more time for unattended-upgrades to shut down gracefully
// or even install a few packages in InstallOnShutdown mode, but is still a
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
// Users enabling InstallOnShutdown mode are advised to increase
// InhibitDelayMaxSec even further, possibly to 30 minutes.
//Unattended-Upgrade::InstallOnShutdown "false";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "it.team@mmmgroup.com";

// Set this value to one of:
//    "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
Unattended-Upgrade::MailReport "only-on-error";

// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Automatically reboot *WITHOUT CONFIRMATION* if
//  the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "true";

// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";

// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";

// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";

// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";

// Verbose logging
// Unattended-Upgrade::Verbose "false";

// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";

// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";

// When APT fails to mark a package to be upgraded or installed try adjusting
// candidates of related packages to help APT's resolver in finding a solution
// where the package can be upgraded or installed.
// This is a workaround until APT's resolver is fixed to always find a
// solution if it exists. (See Debian bug #711128.)
// The fallback is enabled by default, except on Debian's sid release because
// uninstallable packages are frequent there.
// Disabling the fallback speeds up unattended-upgrades when there are
// uninstallable packages at the expense of rarely keeping back packages which
// could be upgraded or installed.
// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

sources.list

#------------------------------------------------------------------------------#
#                   OFFICIAL DEBIAN REPOS                    
#------------------------------------------------------------------------------#

###### Debian Main Repos
deb http://deb.debian.org/debian/ bullseye main contrib non-free
deb-src http://deb.debian.org/debian/ bullseye main contrib non-free

deb http://deb.debian.org/debian/ bullseye-updates main contrib non-free
deb-src http://deb.debian.org/debian/ bullseye-updates main contrib non-free

deb http://deb.debian.org/debian-security bullseye-security main
deb-src http://deb.debian.org/debian-security bullseye-security main

deb http://ftp.debian.org/debian bullseye-backports main
deb-src http://ftp.debian.org/debian bullseye-backports main