#725934 debsecan: automatically add apt pinning for packages with security issues

Package:
debsecan
Source:
debsecan
Submitter:
Paul Wise
Date:
2026-02-26 12:33:04 UTC
Severity:
wishlist
Tags:
#725934#5
Date:
2013-10-10 03:28:10 UTC
From:
To:
I am running a mixed testing/unstable system and I manually upgrade
packages to unstable when a CVE has been fixed in unstable but the fix
hasn't yet migrated to testing. I am using pinning to keep most packages
at the testing version and have apt preferences set to upgrade packages
from unstable within unstable. It would be nice if debsecan could write
out an apt preferences file for packages that have a security issue
fixed in unstable such that when I do apt-get upgrade I will get the
security issues fixed before the packages migrate to testing. This would
require some configuration since different folks will be using different
pinning but once it is setup it could be very useful.

pabs@chianamo ~ $ cat /etc/apt/preferences.d/system
Package: *
Pin: release a=testing
Pin-Priority: 800

Package: *
Pin: release a=unstable
Pin-Priority: 700

Package: *
Pin: release a=experimental
Pin-Priority: 600
#725934#10
Date:
2015-11-21 05:02:28 UTC
From:
To:
#!/bin/sh
for pkg in $(debsecan | grep fixed | cut -d\  -f2 | sort -u) ; do
	 cat <<EOF > /etc/apt/preferences.d/debsecan
Package: $pkg
Pin: release a=unstable
Pin-Priority: 900

EOF
done
#725934#15
Date:
2015-11-28 02:47:54 UTC
From:
To:
#!/bin/sh
# https://bugs.debian.org/725934
for pkg in $(debsecan | grep -E '\(fixed(\)|, )' | cut -d\  -f2 | sort -u) ; do
	 cat <<EOF >> /etc/apt/preferences.d/debsecan.disabled
Package: $pkg
Pin: release a=unstable
Pin-Priority: 900

EOF
done
chmod 644 /etc/apt/preferences.d/debsecan.disabled
mv --force /etc/apt/preferences.d/debsecan.disabled /etc/apt/preferences.d/debsecan
#725934#20
Date:
2017-04-13 05:14:37 UTC
From:
To:
I've now integrated it into apt, fixed dbgsym and
moved it out of /etc into /var.

/etc/apt/apt.conf.d/99debsecan:
APT::Update::Pre-Invoke { "/usr/sbin/debsecan-apt-priority"; };

/usr/sbin/debsecan-apt-priority:
#!/bin/sh
set -e
# https://bugs.debian.org/725934
rm -f /var/lib/debsecan/apt_preferences.disabled
EOF
        ;;
        *)
         cat <<EOF >> /var/lib/debsecan/apt_preferences.disabled
Package: $pkg
Pin: release a=unstable
Pin-Priority: 900

EOF
        ;;
esac
done
chmod 644 /var/lib/debsecan/apt_preferences.disabled
mv --force /var/lib/debsecan/apt_preferences.disabled /var/lib/debsecan/apt_preferences
#725934#25
Date:
2021-04-21 14:57:19 UTC
From:
To:
Control: tag -1 +patch

I've reviewed pabs' script and improved it a bit. Here's a "commitlog"
of changes:

 * silence a shellcheck warning
 * linting: fix indentation and add description
 * simplify main loop
 * add explanatory header for generated file
 * add warning at beginning of debsecan script to explain delay

Commitlog also available here, somewhat:

https://gitlab.com/anarcat/puppet/-/commits/b6bc3e3dc982abcc4100143abb6594404b1241ac

The code is attached and also available here:

https://gitlab.com/anarcat/puppet/-/raw/b6bc3e3dc982abcc4100143abb6594404b1241ac/site-modules/profile/files/debsecan-apt-priority

I also wrote this Puppet manifest (also attached) to deploy it on
machines running testing:

https://gitlab.com/anarcat/puppet/-/raw/a7a7b75e0f3a0d2795449e7159ec6c3d023ad508/site-modules/profile/manifests/debsecan.pp

I understand that it would be better if this was merged inside debsecan
itself (and therefore rewritten in Python), but I think just having this
at all would be great. Maybe just shipping the script in the Debian
package would be a start?

Let us not make perfect the ennemy of good here, this has been sitting
in the BTS for 8 years now, can we at least get this to land in bookworm
and see where we go from here? :)

a.
#725934#32
Date:
2022-01-26 20:48:06 UTC
From:
To:
the scripts linked above were not working for me. i've modified them to work with the latest release of debsecan and included a bit more background, prerequisites, and detailed instructions in this gist: https://gist.github.com/khimaros/21db936fa7885360f7bfe7f116b78daf
#725934#37
Date:
2026-02-26 12:31:18 UTC
From:
To:
Hi Florian,

since debsecan came up as a candidate for the bug of the day.
I have verified bugs tagged patch.  I left

   #470065 debsecan: Better report for backports
   #588064 Parse config file before option checking
   #725934 debsecan: automatically add apt pinning for packages with security issues

untouched (submitters of patches in CC) since the package is now several
versions ahead.  I would prefer if submitters could verify the patches
and possibly provide MRs.  For this purpose and to enable you checking
what exactly was NMUed I migrated the package to Salsa at

https://salsa.debian.org/debian/debsecan

If you do not agree with the Salsa migration please update your clone
that used to be at gitlab and I will cancel the upload - and for sure
let me know if you have other reasons for making me cancel the upload
to delayed=15.

Kind regards
    Andreas.