1

is there a way to prevent a debian package from being removed? I want to prevent any resolution of "replaces" and "breaks" attributes that would lead to removing that package while being able to upgrade it. Everything is fine as long as that package is installed in any version after everything is done.

The only way that I found is putting the package on hold. That is no solution as running an upgrade would require to remove the hold beforehand.

This is in a puppet environment so checking every possible package match-up manually on every host-type is just not possible.

Context:

If you make a mistake in packaging cases occur where package requirement chains lead to removing packages that are fundamental to that server (networking,user management,...). I know there is a lot of unlucky circumstances involved so this happens like testing two packages separately and a race condition between them screwing everything up. The whole point is to provide an lower boundary what can go wrong.

Pointers for others:

You could use one of these options for apt; which puppet respects:

~ $ cat /etc/apt/apt.conf.d/99neverremoveanything 
APT::Get::Remove "false";
APT::Get::Upgrade-Allow-New "true";

For myself these options are not completely satisfactory thus leaving this unanswered as only some packages really need this protection.

You could also use the solution proposed here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767891

It involves creating meta packages with the "Priority: required" that depend on the packages you want to protect.

Benedikt Haug
  • 111
  • 1
  • 1
  • 5
  • Is this a hypothesis or did this actually happen in your business environment? Please add the manifests snippets that show the attempts you have done in order to resolve the issue. – 030 Jul 08 '15 at 22:33
  • @Utrecht it sure is an edge case, but I agree with Benedikt that this is a pretty fundamental issue about the amount of trust that can be put into the tooling. So from a risk management point of view, it is not strictly required to present a concrete example IMO. – Felix Frank Jul 09 '15 at 12:37
  • 1
    Current versions of yum/dnf automatically protect critical packages, so it's impossible to remove any package which would result in, e.g. systemd or yum itself being removed. I am not sure if apt has any similar feature. – Michael Hampton Jul 09 '15 at 20:50
  • This did actually happen. Apt protects critial packages: Try to remove the libc6 and this appears: "You are about to do something potentially harmful. To continue type in the phrase 'Yes, do as I say!' ?]" I think this has something to do with "Priority: required" in the packages control file. – Benedikt Haug Jul 13 '15 at 14:46

1 Answers1

0

You can use file /etc/apt/preferences like...

Package: < Package Name>

Pin: version 1.0*

Pin-Priority: 10

It will prevent < Package Name> from being updated to a version above 1.0*.

Reference:- https://wiki.debian.org/AptPreferences

Vedprakash Nimbalkar
  • 9
  • 4