Scheduled Maintenance: Over the course of a few days we will be addressing issues with the search backend. General search, newposts, yourposts, and other search driven queries may fail during the update. Details and discussion here: viewtopic.php?t=159736

 

 

 

[Software] Debian security updates

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
delphi_coder
Posts: 6
Joined: 2024-07-06 08:47

[Software] Debian security updates

#1 Post by delphi_coder »

What i like to do about updating my system (no matter security or generic) is simply using apt command (sudo apt update/upgrade) and like to disable any kind of automatic query or notification for update. Did some research and executed some commands:
sudo dpkg -P unattended-upgrades

content of this file
~$ cat /etc/apt/apt.conf.d/10periodic
APT::Periodic::Enable "0";
APT::Periodic::Update-Package-Lists "0";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::AutocleanInterval "0";

my linux version:
~$ uname -a
Linux deb 6.1.0-22-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.94-1 (2024-06-21) x86_64 GNU/Linux

still getting notification in system tray from discover most of time about security update and sometimes vscode. I want to disable all no matter how important they are.
unticking sources from discover app settings cause apt command to fail and misbehave. so dont like that as solution.
any idea?
Last edited by delphi_coder on 2024-07-06 17:24, edited 1 time in total.

User avatar
FreewheelinFrank
Global Moderator
Global Moderator
Posts: 2223
Joined: 2010-06-07 16:59
Has thanked: 42 times
Been thanked: 236 times

Re: [Software] Debian security updates

#2 Post by FreewheelinFrank »

Welcome to the forum!

What desktop environment is this?

User avatar
sunrat
Administrator
Administrator
Posts: 6950
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 122 times
Been thanked: 570 times

Re: [Software] Debian security updates

#3 Post by sunrat »

FreewheelinFrank wrote: 2024-07-06 10:03 What desktop environment is this?
Discover is KDE Plasma's GUI package manager.

I remember when I installed my current system it was Bullseye Testing and I just purged plasma-discover. I don't care for GUI package managers. Subsequently upgraded to Bookworm and I still don't have it. I don't have any issues and always just use apt for package management.
Actually I just checked and it's a recommended package for plasma-desktop, not a hard dependency.

Code: Select all

$ apt rdepends plasma-discover
plasma-discover
Reverse Depends:
  Breaks: plasma-discover-backend-flatpak (<< 5.19.4-2~)
  Suggests: software-properties-qt
  Replaces: plasma-discover-backend-snap (<< 5.19.4-2~)
  Breaks: plasma-discover-backend-snap (<< 5.19.4-2~)
  Depends: plasma-discover-backend-snap (= 5.27.5-2)
  Depends: plasma-discover-backend-fwupd (= 5.27.5-2)
  Replaces: plasma-discover-backend-flatpak (<< 5.19.4-2~)
  Recommends: plasma-desktop (>= 5.27.5~)
  Depends: plasma-discover-backend-flatpak (= 5.27.5-2)
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

delphi_coder
Posts: 6
Joined: 2024-07-06 08:47

Re: [Software] Debian security updates

#4 Post by delphi_coder »

FreewheelinFrank wrote: 2024-07-06 10:03 Welcome to the forum!

What desktop environment is this?
Thank you.
It's KDE Plasma.
Last edited by delphi_coder on 2024-07-06 19:41, edited 1 time in total.

User avatar
FreewheelinFrank
Global Moderator
Global Moderator
Posts: 2223
Joined: 2010-06-07 16:59
Has thanked: 42 times
Been thanked: 236 times

Re: [Software] Debian security updates

#5 Post by FreewheelinFrank »

The topic is a bit of a bugbear for me, as there doesn't seem to be any clear documentation on the subject.

I thought I had worked it out a few years ago, when the chain was like this:

[DE update notifier] > [PackageKit] > [Apt config] > [Systemd trigger]

So Systemd has a daily timer for Apt update and upgrade events, which must be enabled in Apt configurations files, PackageKit monitors Apt to see when it has done an update, and the DE update notifier alerts the user if an update is available.

The Apt configuration file was provided by unattended-upgrades (20auto-upgrades - which can actually trigger an update and an upgrade) or apt-config-auto-update (10periodic - update only). Which of course are the configuration package/file you suspected were responsible for seeing updates.

unattended-upgrades used to be a default install with Gnome, but isn't any more, yet Gnome still alerts users of updates. How? I don't know - the chain seems to be broken.

As sunrat's list of depends hints, DE update notifiers now notify of updates to flatpaks and firmware, or at least Gnome's does, and I'm assuming it's a PackageKit thing and KDE does too.

I believe that PackageKit is aware of updates to flatpaks, firmware and possibly system packages using appstream metadata, so these updates may show up in the DE update notifier even if Apt updates are disabled.

viewtopic.php?p=799782&hilit=does+gnome ... se#p799782

I don't understand the Systemd timer well enough to understand if it is actually configured in Gnome/KDE to update the package list without an Apt config file. fabien posted some script here which may be the missing link.

viewtopic.php?p=799782#p799782

Disabling all updates seems to be possible by nuking PackageKit or disabling autostart of Discover.

https://superuser.com/questions/1368573 ... p-in-kde-5

Which of course is NOT a recommended action. The Debian developers would like users to be aware by default of important security updates, for good reason.

viewtopic.php?p=798828#p798828

Nonetheless, for users like yourself who want to handle updates manually, or for users who would just like to understand the process by which notifications happen, some documentation would be useful.

delphi_coder
Posts: 6
Joined: 2024-07-06 08:47

Re: [Software] Debian security updates

#6 Post by delphi_coder »

sunrat wrote: 2024-07-06 11:08 I remember when I installed my current system it was Bullseye Testing and I just purged plasma-discover. I don't care for GUI package managers. Subsequently upgraded to Bookworm and I still don't have it. I don't have any issues and always just use apt for package management.
Actually I just checked and it's a recommended package for plasma-desktop, not a hard dependency.

Code: Select all

$ apt rdepends plasma-discover
plasma-discover
Reverse Depends:
  Breaks: plasma-discover-backend-flatpak (<< 5.19.4-2~)
  Suggests: software-properties-qt
  Replaces: plasma-discover-backend-snap (<< 5.19.4-2~)
  Breaks: plasma-discover-backend-snap (<< 5.19.4-2~)
  Depends: plasma-discover-backend-snap (= 5.27.5-2)
  Depends: plasma-discover-backend-fwupd (= 5.27.5-2)
  Replaces: plasma-discover-backend-flatpak (<< 5.19.4-2~)
  Recommends: plasma-desktop (>= 5.27.5~)
  Depends: plasma-discover-backend-flatpak (= 5.27.5-2)
Too sad if I couldn't find any better way than uninstalling discover

User avatar
fabien
Forum Helper
Forum Helper
Posts: 958
Joined: 2019-12-03 12:51
Location: Anarres (Toulouse, France actually)
Has thanked: 88 times
Been thanked: 222 times

Re: [Software] Debian security updates

#7 Post by fabien »

FreewheelinFrank wrote: 2024-07-06 19:17 unattended-upgrades used to be a default install with Gnome, but isn't any more, yet Gnome still alerts users of updates. How? I don't know - the chain seems to be broken.
[...]
I don't understand the Systemd timer well enough to understand if it is actually configured in Gnome/KDE to update the package list without an Apt config file. fabien posted some script here which may be the missing link.

viewtopic.php?p=799782#p799782
Yes, the idea was that the update was triggered by these services. This is a good opportunity to test if this disables updates in KDE.

Code: Select all

#> systemctl stop apt-daily-upgrade.timer
#> systemctl stop apt-daily.timer
#> systemctl disable apt-daily-upgrade.timer
#> systemctl disable apt-daily.timer
ImageShare your Debian SCRIPTS
There will be neither barrier nor walls, neither official nor guard, there will be no more desert and the entire world will become a garden. — Anacharsis Cloots

User avatar
sunrat
Administrator
Administrator
Posts: 6950
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 122 times
Been thanked: 570 times

Re: [Software] Debian security updates

#8 Post by sunrat »

delphi_coder wrote: 2024-07-06 20:25 Too sad if I couldn't find any better way than uninstalling discover
https://bugs.kde.org/show_bug.cgi?id=413053
It seems the update-notifier is built in to the plasma-discover package. Maybe in Plasma 6 you can disable it. In that link it is mentioned that some distros separate the notifier package from discover but it isn't in Debian.
Try @fabien suggestion. Be good to know if that works.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

User avatar
FreewheelinFrank
Global Moderator
Global Moderator
Posts: 2223
Joined: 2010-06-07 16:59
Has thanked: 42 times
Been thanked: 236 times

Re: [Software] Debian security updates

#9 Post by FreewheelinFrank »

fabien wrote: 2024-07-06 22:34
FreewheelinFrank wrote: 2024-07-06 19:17 unattended-upgrades used to be a default install with Gnome, but isn't any more, yet Gnome still alerts users of updates. How? I don't know - the chain seems to be broken.
[...]
I don't understand the Systemd timer well enough to understand if it is actually configured in Gnome/KDE to update the package list without an Apt config file. fabien posted some script here which may be the missing link.

viewtopic.php?p=799782#p799782
Yes, the idea was that the update was triggered by these services. This is a good opportunity to test if this disables updates in KDE.

Code: Select all

#> systemctl stop apt-daily-upgrade.timer
#> systemctl stop apt-daily.timer
#> systemctl disable apt-daily-upgrade.timer
#> systemctl disable apt-daily.timer
That is what I thought when I read your original post, but then I saw a topic where it was suggested that Apt config settings are necessary too, I think this one.

https://askubuntu.com/questions/1408639 ... n-20auto-u

I recently installed Debian 12 XFCE and observed that the timers were present, but I didn't observe any update notifications with my update script, which basically runs

Code: Select all

aptitude search '~U' | wc -l
until I installed apt-config-auto-update and had APT::Periodic::Update-Package-Lists "1"; in 10periodic.

My methodology in testing this may well have been wrong.

The script /usr/lib/apt/apt.systemd.daily has this:

Code: Select all

# This file understands the following apt configuration variables:
# Values here are the default.
# Create /etc/apt/apt.conf.d/10periodic file to set your preference.
#
# All of the n-days interval options also accept the suffixes
# s for seconds, m for minutes, h for hours, d for days or
# the "always" value to do the action for every job run,
# which can be used with systemd OnCalendar overrides to
# define custom schedules for the apt update/upgrade jobs.
#
#  Dir "/";
#  - RootDir for all configuration files
#
#  Dir::Cache "var/cache/apt/";
#  - Set apt package cache directory
#
#  Dir::Cache::Archives "archives/";
#  - Set package archive directory
#
#  APT::Periodic::Enable "1";
#  - Enable the update/upgrade script (0=disable)
#
Which suggests that the default for APT::Periodic::Enable "1"; is inactive, and 10periodic is necessary to change the default.

Is there some change to the Systemd script that Gnome and KDE make to enable an update check, or is my understanding of how apt-daily.time works wrong? Quite possible the latter, and my knowledge of scripting is very basic.

User avatar
fabien
Forum Helper
Forum Helper
Posts: 958
Joined: 2019-12-03 12:51
Location: Anarres (Toulouse, France actually)
Has thanked: 88 times
Been thanked: 222 times

Re: [Software] Debian security updates

#10 Post by fabien »

FreewheelinFrank wrote: 2024-07-07 06:11 That is what I thought when I read your original post, but then I saw a topic where it was suggested that Apt config settings are necessary too, I think this one.

https://askubuntu.com/questions/1408639 ... n-20auto-u

I recently installed Debian 12 XFCE and observed that the timers were present, but I didn't observe any update notifications with my update script, which basically runs

Code: Select all

aptitude search '~U' | wc -l
until I installed apt-config-auto-update and had APT::Periodic::Update-Package-Lists "1"; in 10periodic.

My methodology in testing this may well have been wrong.

The script /usr/lib/apt/apt.systemd.daily has this:
Yes, this script is the key. It can be called with two different arguments: install and update. We are interested in update here. This is how this is handled by systemd (Here I'm using a system where unattended-upgrades is installed). First there is a timer:

Code: Select all

# systemctl status apt-daily.timer 
● apt-daily.timer - Daily apt download activities
     Loaded: loaded (/lib/systemd/system/apt-daily.timer; enabled; preset: enabled)
     Active: active (waiting) since Sun 2024-07-07 07:21:27 CEST; 3h 21min ago
    Trigger: Sun 2024-07-07 19:47:23 CEST; 9h left
   Triggers: ● apt-daily.service

juil. 07 07:21:27 okcomputer systemd[1]: Started apt-daily.timer - Daily apt download activities.
This timer triggers apt-daily.service:

Code: Select all

# systemctl status apt-daily.service 
○ apt-daily.service - Daily apt download activities
     Loaded: loaded (/lib/systemd/system/apt-daily.service; static)
     Active: inactive (dead) since Sun 2024-07-07 07:23:00 CEST; 3h 19min ago
TriggeredBy: ● apt-daily.timer
       Docs: man:apt(8)
    Process: 2456 ExecStartPre=/usr/lib/apt/apt-helper wait-online (code=exited, status=0/SUCCESS)
    Process: 2477 ExecStart=/usr/lib/apt/apt.systemd.daily update (code=exited, status=0/SUCCESS)
   Main PID: 2477 (code=exited, status=0/SUCCESS)
        CPU: 3.860s

juil. 07 07:22:55 okcomputer systemd[1]: Starting apt-daily.service - Daily apt download activities...
juil. 07 07:23:00 okcomputer systemd[1]: apt-daily.service: Deactivated successfully.
juil. 07 07:23:00 okcomputer systemd[1]: Finished apt-daily.service - Daily apt download activities.
juil. 07 07:23:00 okcomputer systemd[1]: apt-daily.service: Consumed 3.860s CPU time.
which runs /usr/lib/apt/apt.systemd.daily with update as argument.

/usr/lib/apt/apt.systemd.daily lines 354 to 360:

Code: Select all

# check if the user really wants to do something
AutoAptEnable=1  # default is yes
eval $(apt-config shell AutoAptEnable APT::Periodic::Enable)

if [ $AutoAptEnable -eq 0 ]; then
    exit 0
fi
apt-config shell is run according to the apt-config manual.
man 8 apt-config wrote:shell
shell is used to access the configuration information from a shell script. It is given pairs of arguments, the first being a shell variable and the second the configuration value to query.
As output it lists shell assignment commands for each value present. In a shell script it should be used as follows:

OPTS="-f"
RES=`apt-config shell OPTS MyApp::options`
eval $RES
This will set the shell environment variable $OPTS to the value of MyApp::options with a default of -f.

Code: Select all

$> apt-config dump | grep "^APT::Sandbox::User"
APT::Sandbox::User "_apt";
$> getAptConf="APT::Sandbox::User"; unset -v AptOpt; eval "$(apt-config shell AptOpt "$getAptConf")"; echo "$getAptConf ${AptOpt:-"is not set"}"
APT::Sandbox::User _apt
$> getAptConf="APT::Periodic::Enable"; unset -v AptOpt; eval $(apt-config shell AptOpt "$getAptConf"); echo "$getAptConf ${AptOpt:-"is not set"}"
APT::Periodic::Enable is not set
I prefer not to use eval:

Code: Select all

$> getAptConf="APT::Sandbox::User"; unset -v AptOpt; AptOpt="$(apt-config shell AptOpt "$getAptConf")"; declare "${AptOpt:-AptOpt="is not set"}"; echo "$getAptConf ${AptOpt//\'}"
APT::Sandbox::User _apt
$> getAptConf="APT::Periodic::Enable"; unset -v AptOpt; AptOpt="$(apt-config shell AptOpt "$getAptConf")"; declare "${AptOpt:-AptOpt="is not set"}"; echo "$getAptConf ${AptOpt//\'}"
APT::Periodic::Enable is not set
For completeness, note that

Code: Select all

$> AptOpt="previously set"
$> getAptConf="APT::Periodic::Enable"; eval "$(apt-config shell AptOpt "$getAptConf")"; echo "$getAptConf ${AptOpt:-"is not set"}"
APT::Periodic::Enable previously set
but

Code: Select all

$> AptOpt="previously set"
$> getAptConf="APT::Periodic::Enable"; AptOpt="$(apt-config shell AptOpt "$getAptConf")"; declare "${AptOpt:-AptOpt="is not set"}"; echo "$getAptConf ${AptOpt//\'}"
APT::Periodic::Enable is not set
Unless APT::Periodic::Enable is explicitly set to 0 (in /etc/apt/apt.conf.d/), the script proceeds.

/usr/lib/apt/apt.systemd.daily lines 395 to 435:

Code: Select all

UpdateInterval=0
eval $(apt-config shell UpdateInterval APT::Periodic::Update-Package-Lists)

DownloadUpgradeableInterval=0
eval $(apt-config shell DownloadUpgradeableInterval APT::Periodic::Download-Upgradeable-Packages)

UnattendedUpgradeInterval=0
eval $(apt-config shell UnattendedUpgradeInterval APT::Periodic::Unattended-Upgrade)

AutocleanInterval=0
eval $(apt-config shell AutocleanInterval APT::Periodic::AutocleanInterval)

CleanInterval=0
eval $(apt-config shell CleanInterval APT::Periodic::CleanInterval)

BackupArchiveInterval=0
eval $(apt-config shell BackupArchiveInterval APT::Periodic::BackupArchiveInterval)

Debdelta=1
eval $(apt-config shell Debdelta APT::Periodic::Download-Upgradeable-Packages-Debdelta)

# check if we actually have to do anything that requires locking the cache
if [ $UpdateInterval = always ] ||
   [ $DownloadUpgradeableInterval = always ] ||
   [ $UnattendedUpgradeInterval = always ] ||
   [ $BackupArchiveInterval = always ] ||
   [ $AutocleanInterval = always ] ||
   [ $CleanInterval = always ] ; then
    :
elif [ $UpdateInterval = 0 ] &&
     [ $DownloadUpgradeableInterval = 0 ] &&
     [ $UnattendedUpgradeInterval = 0 ] &&
     [ $BackupArchiveInterval = 0 ] &&
     [ $AutocleanInterval = 0 ] &&
     [ $CleanInterval = 0 ] ; then

    # check cache size
    check_size_constraints

    exit 0
fi
On my system:

Code: Select all

$> for getAptConf in "APT::Periodic::Update-Package-Lists" "APT::Periodic::Download-Upgradeable-Packages" \
"APT::Periodic::Unattended-Upgrade" "APT::Periodic::AutocleanInterval" \
"APT::Periodic::CleanInterval" "APT::Periodic::BackupArchiveInterval" \
"APT::Periodic::Download-Upgradeable-Packages-Debdelta"; do \
AptOpt="$(apt-config shell AptOpt "$getAptConf")"; \
declare "${AptOpt:-AptOpt="is not set"}"; \
printf '\n%s' "$getAptConf ${AptOpt//\'}"; \
done; echo -e "\n"

APT::Periodic::Update-Package-Lists is not set
APT::Periodic::Download-Upgradeable-Packages is not set
APT::Periodic::Unattended-Upgrade is not set
APT::Periodic::AutocleanInterval is not set
APT::Periodic::CleanInterval is not set
APT::Periodic::BackupArchiveInterval is not set
APT::Periodic::Download-Upgradeable-Packages-Debdelta is not set

$> cat /etc/apt/apt.conf.d/20auto-upgrades
cat: /etc/apt/apt.conf.d/20auto-upgrades: No such file or directory
On the system where unattended-upgrades is installed:

Code: Select all

$> for getAptConf in "APT::Periodic::Update-Package-Lists" "APT::Periodic::Download-Upgradeable-Packages" \
"APT::Periodic::Unattended-Upgrade" "APT::Periodic::AutocleanInterval" \
"APT::Periodic::CleanInterval" "APT::Periodic::BackupArchiveInterval" \
"APT::Periodic::Download-Upgradeable-Packages-Debdelta"; do \
AptOpt="$(apt-config shell AptOpt "$getAptConf")"; \
declare "${AptOpt:-AptOpt="is not set"}"; \
printf '\n%s' "$getAptConf ${AptOpt//\'}"; \
done; echo -e "\n"

APT::Periodic::Update-Package-Lists 1
APT::Periodic::Download-Upgradeable-Packages is not set
APT::Periodic::Unattended-Upgrade 1
APT::Periodic::AutocleanInterval is not set
APT::Periodic::CleanInterval is not set
APT::Periodic::BackupArchiveInterval is not set
APT::Periodic::Download-Upgradeable-Packages-Debdelta is not set

$> cat /etc/apt/apt.conf.d/20auto-upgrades 
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
On my system, since all tested variables are either unset or set to 0, the script executes check_size_constraints and exits.
On the system where unattended-upgrades is installed, UpdateInterval=1 and UnattendedUpgradeInterval=1, the script proceeds.

/usr/lib/apt/apt.systemd.daily lines 437 to 489:

Code: Select all

if [ "$1" = "update" ] || [ -z "$1" ] ; then
[...]
   if eval apt-get $XAPTOPT -y update $XSTDERR; then
       debug_echo "download updated metadata (success)."
       update_stamp $UPDATE_STAMP
       UPDATED=1
[...]
   fi
[...]
fi
by replacing the variables with their values:

Code: Select all

apt-get -qq -y update 2>/dev/null
Not tested, but

Code: Select all

#> echo "APT::Periodic::Update-Package-Lists \"1\";"  > /etc/apt/apt.conf.d/10custom-auto-updates
should be enough to enable updates.

For information, the apt-config-auto-update package only has the effect of installing these files:
/etc/apt/apt.conf.d/10periodic

Code: Select all

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "0";
/etc/apt/apt.conf.d/15update-stamp

Code: Select all

APT::Update::Post-Invoke {"touch /var/lib/apt/periodic/update-success-stamp 2>/dev/null || true";};
/etc/apt/apt.conf.d/20archive

Code: Select all

APT::Periodic::MaxAge "30";
APT::Periodic::MinAge "2";
APT::Periodic::MaxSize "500";
@delphi_coder, what gives

Code: Select all

$> for getAptConf in "APT::Periodic::Update-Package-Lists" "APT::Periodic::Download-Upgradeable-Packages" \
"APT::Periodic::Unattended-Upgrade" "APT::Periodic::AutocleanInterval" \
"APT::Periodic::CleanInterval" "APT::Periodic::BackupArchiveInterval" \
"APT::Periodic::Download-Upgradeable-Packages-Debdelta"; do \
AptOpt="$(apt-config shell AptOpt "$getAptConf")"; \
declare "${AptOpt:-AptOpt="is not set"}"; \
printf '\n%s' "$getAptConf ${AptOpt//\'}"; \
done; echo -e "\n"
on your system?
ImageShare your Debian SCRIPTS
There will be neither barrier nor walls, neither official nor guard, there will be no more desert and the entire world will become a garden. — Anacharsis Cloots

delphi_coder
Posts: 6
Joined: 2024-07-06 08:47

Re: [Software] Debian security updates

#11 Post by delphi_coder »

@delphi_coder, what gives
some outputs from my system.

Code: Select all

~$ systemctl status apt-daily-upgrade.timer 
○ apt-daily-upgrade.timer
     Loaded: masked (Reason: Unit apt-daily-upgrade.timer is masked.)
     Active: inactive (dead)
    Trigger: n/a
~$ systemctl status apt-daily-upgrade.service 
○ apt-daily-upgrade.service
     Loaded: masked (Reason: Unit apt-daily-upgrade.service is masked.)
     Active: inactive (dead)
~$ systemctl stop apt-daily-upgrade.timer
~$ systemctl stop apt-daily.timer
~$ sudo systemctl disable apt-daily-upgrade.timer
[sudo] password for user: 
Unit /etc/systemd/system/apt-daily-upgrade.timer is masked, ignoring.
~$ sudo systemctl disable apt-daily.timer
Unit /etc/systemd/system/apt-daily.timer is masked, ignoring.

~$ for getAptConf in "APT::Periodic::Update-Package-Lists" "APT::Periodic::Download-Upgradeable-Packages" \
"APT::Periodic::Unattended-Upgrade" "APT::Periodic::AutocleanInterval" \
"APT::Periodic::CleanInterval" "APT::Periodic::BackupArchiveInterval" \
"APT::Periodic::Download-Upgradeable-Packages-Debdelta"; do \
AptOpt="$(apt-config shell AptOpt "$getAptConf")"; \
declare "${AptOpt:-AptOpt="is not set"}"; \
printf '\n%s' "$getAptConf ${AptOpt//\'}"; \
done; echo -e "\n"

APT::Periodic::Update-Package-Lists 0
APT::Periodic::Download-Upgradeable-Packages 0
APT::Periodic::Unattended-Upgrade is not set
APT::Periodic::AutocleanInterval 0
APT::Periodic::CleanInterval is not set
APT::Periodic::BackupArchiveInterval is not set
APT::Periodic::Download-Upgradeable-Packages-Debdelta is not set

~$ cat /etc/apt/apt.conf.d/20auto-upgrades
cat: /etc/apt/apt.conf.d/20auto-upgrades: No such file or directory
~$ cat /etc/apt/apt.conf.d/20archive
cat: /etc/apt/apt.conf.d/20archive: No such file or directory

User avatar
fabien
Forum Helper
Forum Helper
Posts: 958
Joined: 2019-12-03 12:51
Location: Anarres (Toulouse, France actually)
Has thanked: 88 times
Been thanked: 222 times

Re: [Software] Debian security updates

#12 Post by fabien »

delphi_coder wrote: 2024-07-07 18:39 some outputs from my system.
Thanks. This shows that the update is triggered by something else. I think I found it in the plasma-discover code.

discover / libdiscover / backends / PackageKitBackend / PackageKitNotifier lines 54-79

Code: Select all

// Check if there's packages after 5'
    QTimer::singleShot(5min, this, &PackageKitNotifier::refreshDatabase);
    QTimer *regularCheck = new QTimer(this);
    connect(regularCheck, &QTimer::timeout, this, &PackageKitNotifier::refreshDatabase);
    const QString aptconfig = QStandardPaths::findExecutable(QStringLiteral("apt-config"));
    if (!aptconfig.isEmpty()) {
        checkAptVariable(aptconfig, QLatin1String("Apt::Periodic::Update-Package-Lists"), [regularCheck](const QStringView &value) {
            bool ok;
            const int days = value.toInt(&ok);
            if (!ok || days == 0) {
                regularCheck->setInterval(24h); // refresh at least once every day
                regularCheck->start();
                if (!value.isEmpty()) {
                    qWarning() << "couldn't understand value for timer:" << value;
                }

            }
            // if the setting is not empty, refresh will be carried out by unattended-upgrade
            // https://wiki.debian.org/UnattendedUpgrades
        });
    } else {
        regularCheck->setInterval(24h); // refresh at least once every day
        regularCheck->start();
    }
There is a special check for Debian. Discover checks if apt-config is executable and then if "Apt::Periodic::Update-Package-Lists" is set to true. If this is the case, it relies on the system to update the cache. In the other case, Discover manages the cache update (using PackageKit).
ImageShare your Debian SCRIPTS
There will be neither barrier nor walls, neither official nor guard, there will be no more desert and the entire world will become a garden. — Anacharsis Cloots

User avatar
fabien
Forum Helper
Forum Helper
Posts: 958
Joined: 2019-12-03 12:51
Location: Anarres (Toulouse, France actually)
Has thanked: 88 times
Been thanked: 222 times

Re: [Software] Debian security updates

#13 Post by fabien »

@delphi_coder, can you please test setting Apt::Periodic::Update-Package-Lists to 1 while keeping systemd timers disabled? Maybe Plasma-Discover will trust this setting and not trigger updates on its own.
ImageShare your Debian SCRIPTS
There will be neither barrier nor walls, neither official nor guard, there will be no more desert and the entire world will become a garden. — Anacharsis Cloots

delphi_coder
Posts: 6
Joined: 2024-07-06 08:47

Re: [Software] Debian security updates

#14 Post by delphi_coder »

@fabien , I have set APT::Periodic::Update-Package-Lists to 1 in the /etc/apt/apt.conf.d/10periodic file while keeping the systemd timers disabled. Here are my current settings:

Code: Select all

~$ cat /etc/apt/apt.conf.d/10periodic
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::AutocleanInterval "0";
APT::Periodic::Unattended-Upgrade "0";
~$ systemctl status apt-daily-upgrade.timer
○ apt-daily-upgrade.timer
     Loaded: masked (Reason: Unit apt-daily-upgrade.timer is masked.)
     Active: inactive (dead)
    Trigger: n/a
~$ systemctl status apt-daily.timer
○ apt-daily.timer
     Loaded: masked (Reason: Unit apt-daily.timer is masked.)
     Active: inactive (dead)
    Trigger: n/a
~$ 
I will monitor Plasma-Discover over the next few days to see if it respects this setting and stops managing the cache updates on its own. I'll report back with my findings soon.

Thank you for the guidance!

delphi_coder
Posts: 6
Joined: 2024-07-06 08:47

Re: [Software] Debian security updates

#15 Post by delphi_coder »

fabien wrote: 2024-07-10 11:54 @delphi_coder, can you please test setting Apt::Periodic::Update-Package-Lists to 1 while keeping systemd timers disabled? Maybe Plasma-Discover will trust this setting and not trigger updates on its own.
That doesnt work. It still notifies updates on its own. Any other ideas?

ps: wondering if clone/edit/compiling/installing from source can be done easily

User avatar
fabien
Forum Helper
Forum Helper
Posts: 958
Joined: 2019-12-03 12:51
Location: Anarres (Toulouse, France actually)
Has thanked: 88 times
Been thanked: 222 times

Re: [Software] Debian security updates

#16 Post by fabien »

delphi_coder wrote: 2024-07-19 07:26 That doesnt work. It still notifies updates on its own.
Damn, I had good expectations. How do you understand the code? Do you think there is something else in another part?
ImageShare your Debian SCRIPTS
There will be neither barrier nor walls, neither official nor guard, there will be no more desert and the entire world will become a garden. — Anacharsis Cloots

Post Reply