2

I am trying to set the Unattended-Upgrade::Allowed-Origins so that it only is allowed for security updates. I would like to do this in a later config in the apt.conf.d leaving the default 50unattended-upgrades config as the default and just overriding.

In my 99-unattended-upgrades I am setting the following:

// Only allow security origin
Unattended-Upgrade::Allowed-Origins {
  "${distro_id}:${distro_codename}-security";
};

However, this seems to be merged with the existing config (rather than just nuking it completely) as when I do an apt-config dump I can see the default settings in there.

I also tried setting it with the following:

Unattended-Upgrade::Allowed-Origins "${distro_id}:${distro_codename}-security";

Also did not work.

I could simply comment out the lines in 50unattended-updates, but, I'd really like to leave the original files pristine if I can.

patrickdavey
  • 123
  • 5

1 Answers1

2

After a bit of digging in apt source code and then in apt-conf manual page it turns out that there is a way

[...]#clear is used to erase a part of the configuration tree. The specified element and all its descendants are erased. (Note that these lines also need to end with a semicolon.)

The #clear command is the only way to delete a list or a complete scope. Reopening a scope (or using the syntax described below with an appended ::) will not override previously written entries. Options can only be overridden by addressing a new value to them - lists and scopes can't be overridden, only cleared.

So this would get you what you want:

#clear Unattended-Upgrade::Allowed-Origins;
// Only allow security origin
Unattended-Upgrade::Allowed-Origins {
  "${distro_id}:${distro_codename}-security";
};

https://manpages.debian.org/testing/apt/apt.conf.5.en.html

silmaril
  • 471
  • 3
  • 9