Feature #38471
open
Incorrect APT Pinning Priority for Debian Backports in Katello Repositories
Description
When syncing and publishing Debian Backports repositories via Katello, the generated APT metadata assigns a default priority of 500 to the backports repository. This behavior differs from Debian’s native configuration, where backports are assigned a priority of 100 to prevent unintended upgrades.
Steps to Reproduce:
Create a content view in Katello for Debian 11.
Add the official bullseye-backports repository as a custom repository.
Publish and promote the content view.
On a subscribed client, run apt-cache policy.
Expected Behavior:
Backports should have a priority of 100, consistent with Debian’s default behavior, to avoid automatic installation of backports packages unless explicitly requested.
Actual Behavior:
Backports are assigned a priority of 500, making them equally preferred as stable packages.
Example output from apt-cache policy:
Package files:
100 /var/lib/dpkg/status
release a=now
500 katello://katello.example.org/pulp/content/M3M/test/CV_DEBIAN_11/custom/Debian_11/Debian_11_Backports bullseye-backports/main all Packages
release o=Debian Backports,a=bullseye-backports,n=bullseye-backports,l=Debian Backports,c=main,b=all
origin katello.example.org
500 katello://katello.example.org/pulp/content/M3M/test/CV_DEBIAN_11/custom/Debian_11/Debian_11_Backports bullseye-backports/main amd64 Packages
release o=Debian Backports,a=bullseye-backports,n=bullseye-backports,l=Debian Backports,c=main,b=amd64
origin katello.example.org
500 katello://katello.example.org/pulp/content/M3M/test/CV_DEBIAN_11/custom/Package_deb/antivirus-cortex katello/upload amd64 Packages
release o=Pulp 3,a=katello,n=katello,c=upload,b=amd64
origin katello.example.org
500 https://packages.sury.org/php bullseye/main amd64 Packages
release o=deb.sury.org,a=bullseye,n=bullseye,c=main,b=amd64
origin packages.sury.org
Impact:
This can lead to unintended installation of packages from backports, potentially introducing instability or unsupported packages in production environments.
Suggested Fix:
Katello should allow setting custom APT priorities per repository, or automatically assign a priority of 100 to repositories identified as Debian Backports.
Updated by jerome lepez 10 months ago
- Fixed in Releases Katello 4.19.0 added
- Fixed in Releases deleted (
Katello 4.18.0) - Found in Releases Katello 4.17.0 added
- Found in Releases deleted (
Katello 3.16.1)
Updated by
Updated by Quirin Pamp 4 months ago
· Edited
I spent some time looking into this:
It turns out the backports priority of 100 on upstream Debian backports repositories is based on some rules hard coded into apt itself.
As such, the only way for this to work out of the box, is for the repo config we create using subscription-manager to match those rules.
One necessary prerequisite for this is structured APT, which became a mandatory feature with Katello 4.19. (Before it could be optionally enabled for a couple of versions).
However, from my testing, structured APT is not yet sufficient.
The following output is from running apt-cache policy in a plain "debian:trixie-backports" container:
100 http://deb.debian.org/debian trixie-backports/main amd64 Packages
release o=Debian Backports,a=stable-backports,n=trixie-backports,l=Debian Backports,c=main,b=amd64
origin deb.debian.orgThe following is from running apt-cache policy on my test system registered to Katello with structured APT enabled:
500 katello://test-deploy-master.infra.dev.atix/pulp/content/ATIX/development/CCV_Debian_13/custom/Debian_13/Debian_13_backports trixie-backports/main amd64 Packages
release o=Debian Backports,a=stable-backports,n=trixie-backports,l=Debian Backports,c=main,b=amd64
origin test-deploy.infra.dev.exampleNote that apart from the URL, the only thing that appears to be different is the "origin" field, but we are still getting the default priority of 500.
In the mean time, it is possible for users to configure the desired priority manually within "/etc/apt/preferences.d/". This is not done or controlled by Katello or subscription-manager in any way.
I feel like there is a feature request here as well: Make it so I can set an apt priority for my repositories within Katello, and then subscription-manager will configure this for me.
Updated by Quirin Pamp 4 months ago
Did some more digging, and it looks like the alternate pinning priority is actually based on the following in the repo metadata:
NotAutomatic: yes
ButAutomaticUpgrades: yes
Syncing these fields is actually something we would need to do on the pulp_deb side.
Updated by Quirin Pamp 2 months ago
- Is duplicate of Bug #38239: Debian backports priorities added
Updated by Bernhard Suttner 11 days ago
Since structured apt, its fully possible to configure such rules like:
root@debian13:~# cat /etc/apt/preferences.d/trixie-upd
Package: *
Pin: release v=13-updates,o=Debian,a=stable-updates,n=trixie-updates,l=Debian,c=main,b=all
Pin-Priority: 110
Which would set the Priority to 110 for the specific release. See apt-cache policy.