Apt-Pinning

  • tinivole
Posted: Tue, 05/20/2008 - 10:43
Hi all. It's been too long since I last used 64Studio, but luck came my way and I took the opportunity to have another crack at setting one up! American Trends Motherboard, NVIDIA 8500GT Graphics and a RME HDSP 9632 Soundcard. Hmmm... Now it all works... Must be the Motherboard! :D Atheros Wireless PCI card is brilliant too! (dhcdhd kept hanging everytime it connected to any router last time). Done quite a bit of tweaking and I have everything setup perfect! (Even have DVD play that works better than Ubuntu Hardy!) So I've practically locked my user out of everything to do with root, and I've softlinked the Synaptic and Apt Preference files and I've pinned every package at it's current version number. The only question I have left is that will this line put all newer security updates to have a higher priority than everything I have so far if everything is locked at priority=1001? Package: * Pin: origin http://security.debian.org Pin-Priority: 2000 Because I want to keep on top of these things just incase another huge security fiasco happens again. Regards Iain
‹ Why stable? System Sound ›

pinning everything

  • skullnotions
  • 09/29/07
  • Wed, 05/21/2008 - 15:09
  • Copy comment link
Is fine, some people install and don't upgrade "ever", "if it works" leave it alone, is their way. Your method will keep them secure. I can't think of a time 64studio has broke on me, unless I broke it testing! You will find everything is safe and stable... Only you can find that out for yourself. If my system does break I would just accept it and reinstall, but it hasn't happened yet! It sounds to me like you know just what you want from your system. I don't fully understand apt-pin, but I have learned a lot here. Thanks, dave

I see the meaning in your point...

  • tinivole
  • 08/22/07
  • Wed, 05/21/2008 - 13:27
  • Copy comment link
You must use a "method" to pin "everything" at once? What about when an upgrade becomes available for a package you want to upgrade, How will the setup deal with dependencies for the package? Yeah, I do hear you on that one. Maybe I'm just being over-cautious with it all. As first time round, 64Studio was actually the first Linux Distribution that I tried! And as it turns out, I had all the wrong hardware and everything broke/froze! I've since been working on Debian Etch/Lenny systems to build up my confidence of using it. I suppose I could settle for a less restrictive style pinning: ie: > security=1001 > etch=800 > 64studio=600 Thus all others will be ignored. I will probably take me a while to realise that everything is safe and stable though (you can't blame me for thinking so). Although it would be nice have it so nothing is upgraded until a security release comes through (all subsequent dependencies are then upgraded to match the security package). Regards Iain

Thanks!

  • skullnotions
  • 09/29/07
  • Wed, 05/21/2008 - 09:57
  • Copy comment link
Iain for explaining this, I have only ever pinned a couple of applications at a time. I always disable auto-upgrades and deal with upgrades myself. You must use a "method" to pin "everything" at once? What about when an upgrade becomes available for a package you want to upgrade, How will the setup deal with dependencies for the package? I have been looking to try and find the answer to your pin question. When I look for Apt pinning all packages, I get pointed back at your post! This below looks like a basic setup, but I think you are on a different level with your config. http://www.imped.net/2007/07/20/apt-pinning-installing-unstable-packages-on-stable-debian/ Cheers, dave.

Apt-Pinning 2

  • skullnotions
  • 09/29/07
  • Tue, 05/20/2008 - 16:13
  • Copy comment link
Hi Iain, Very nice setup you have there! I dont quite understand what you mean here? > I've softlinked the Synaptic and Apt Preference files and I've pinned every package at it's current version number. If you have the default 64studio and etch security repositories enabled in synaptic, you should be fine. I enable the 64studio testing repository without problems. I find the system very stable. Daniel explains security and synaptic sources here. Major security flaw in Etch SSL packages http://64studio.com/node/565 Cheers, dave

> RE: I dont quite

  • tinivole
  • 08/22/07
  • Tue, 05/20/2008 - 17:21
  • Copy comment link
> RE: I dont quite understand what you mean here? apt's preference file is stored in /etc/apt/preferences. while synaptic's is stored in /var/lib/synaptic/preferences. To make both files one, (and to save doing the same thing twice) one would type in ln -s /var/lib/synaptic/preferences /etc/apt/preferences And "locked every package at it's current version" means that I've added to the file: Package: 64studio Pin: version 2.0 Pin-Priority: 1001 #...etc...# Package: bash Pin: version 3.1dfsg-8 Pin-Priority: 1001 #...etc...# Package: sudo Pin: version 1.6.8p12-4 Pin-Priority: 1001 And it is like that for all currently installed packages, so nothing should get upgraded/auto upgraded ever, even if there is a newer version in the repositories (I've setup a script in /etc/apt/apt.conf.d/50unattendedupgrades so the security repository can be auto upgraded without my permission). Hence why I asked if about whether or not I give the security repository a higher priority number that it will take priority over of all the locked packages and install that security update (as I've never tried to lock something up like this before). And my sources list looks like this: deb http://apt.64studio.com/64studio/stable 64studio main deb http://debian-multimedia.fx-services.com/ stable main deb http://ftp.uk.debian.org/debian/ stable main contrib non-free deb http://security.debian.org stable/updates main contrib non-free deb http://www.backports.org/debian/ etch-backports main contrib non-free deb http://wine.budgetdedicated.com/apt etch main deb-src http://ftp.uk.debian.org/debian/ stable main contrib non-free Regards Iain