prevent 3007 from installing ever

[JacobCoffee]

Description

I feel like the pinning is "working" because apt install salt-minion properly set the version down back to 3006.*

I propose adding a negative pin prio for 3007.* (on top of our existing pin priorty) for now to make sure it just fails if it tries

Package: salt-*
Pin: version 3007.*
Pin-Priority: -1

Closes

• Closes Certificate of docs.nyc1.psf.io has expired #618

[ewdurbin]

3007.* already has a lower priority, I believe this was due to unattended-upgrades ignoring pinning. my best guess is that the 3007 release that was picked up came through a security channel and pinning was bypasses.

[ewdurbin]

psf-salt/salt/unattended-upgrades/config/50unattended-upgrades

Line 2 in d0a8c67

Unattended-Upgrade::Allowed-Origins {

Is probably where we need to include all origins so that they are taken into account together when selecting packages for unattended upgrades

[JacobCoffee]

I figured it had lower priority but i was interpreting the man page of https://manpages.ubuntu.com/manpages/focal/man5/apt_preferences.5.html

P < 0
prevents the version from being installed

to mean that it will actually go beyond priority and just outright block/say no to installing any 3007.* thing

[JacobCoffee]

came through a security channel and pinning was bypasses.

is there any way to prevent that 😅

[JacobCoffee]

maybe apt-mark hold but then we'd have to manually update :\

[ewdurbin]

https://askubuntu.com/questions/1515902/how-to-get-unattended-upgrade-to-obey-apt-pinned-packages Seems to indicate this is known behavior/bug in unattended upgrades and offers a solution