A friend of mine, Major, asked for a little advice on Debian apt configuration for a stable production server. Over the years, I have learned a few little things with regards to apt configuration with sane access to newer backports and/or testing/unstable/alpha apt repositories, and particularly one gotcha when a new stable release is completed.

One of my favorite apt preference resources is maintained by Roderick Schertler, and I always keep his apt pinning page listed in my /etc/apt/preferences file.

I track Debian stable (currently “Lenny”) on production servers and upgrade only software that is absolutely necessary from backports or testing – the gotcha I mention above is when Debian releases a new “stable” (“Squeeze” is next). Without “oldstable” listed in the preferences file at a higher priority than “stable”, you might be in for a surprise one day with a long list of packages set to be upgraded to the new “stable” This is not particularly desirable in a production environment that will require a good deal of work to make sure a dist-upgrade to the new stable release will function properly.

On my workstations and laptop, I typically roll along with the “testing” (currently “Squeeze) apt repositories and update/upgrade daily for that new software fresh feeling. I use the same apt configurations and simply bump the testing preference to 910. This allows me to do things like ‘apt-cache policy $FOO’ to see what versions of a package are in all the releases, without trolling around packages.d.o.

Here’s a tarball of my Lenny apt configs and the contents:

/etc/apt/apt.conf – set lenny as the default release and bump the cache limit a lot higher

APT::Default-Release "lenny";
APT::Cache-Limit 33554432;

/etc/apt/sources.list – Lenny/testing/sid along with security, backports, debian-multimedia, and alpha kernel builds

# Lenny
deb http://ftp.us.debian.org/debian/ lenny main contrib non-free
deb-src http://ftp.us.debian.org/debian/ lenny main contrib non-free
deb http://security.debian.org/ lenny/updates main contrib non-free
deb-src http://security.debian.org/ lenny/updates main contrib non-free

# Testing
deb http://ftp.us.debian.org/debian/ testing main contrib non-free
deb-src http://ftp.us.debian.org/debian/ testing main contrib non-free
deb http://security.debian.org/ testing/updates main contrib non-free
deb-src http://security.debian.org/ testing/updates main contrib non-free

# Sid
deb http://ftp.us.debian.org/debian/ unstable main contrib non-free
deb-src http://ftp.us.debian.org/debian/ unstable main contrib non-free

# Experimental
deb http://ftp.us.debian.org/debian/ experimental main contrib non-free
deb-src http://ftp.us.debian.org/debian/ experimental main contrib non-free

#####
# Lenny Backports
deb http://www.backports.org/debian lenny-backports main contrib non-free
deb-src http://www.backports.org/debian lenny-backports main contrib non-free

# Debian Multimedia
deb http://www.debian-multimedia.org/ lenny main
deb-src http://www.debian-multimedia.org/ lenny main

# buildserver.net kernel buildd repo
# http://wiki.debian.org/DebianKernel
deb http://kernel-archive.buildserver.net/debian-kernel/ trunk main
deb-src http://kernel-archive.buildserver.net/debian-kernel/ trunk main

/etc/apt/preferences – the magic to not dork up a stable box.. read Roderick’s pinning page for really great explanations on how this all works

Explanation: see http://www.argon.org/~roderick/apt-pinning.html
Package: *
Pin: release o=Debian,a=oldstable
Pin-Priority: 905

Package: *
Pin: release o=Debian,a=stable
Pin-Priority: 900

Package: *
Pin: release o=Debian,a=testing
Pin-Priority: 400

Package: *
Pin: release o=Debian,a=unstable
Pin-Priority: 300

Package: *
Pin: release o=Debian
Pin-Priority: -1

Package: *
Pin: origin www.backports.org
Pin-Priority: 600

Package: *
Pin: origin www.debian-multimedia.org
Pin-Priority: 600

Package: *
Pin: release o=Debian-Kernel,a=kernel-dists-trunk
Pin-Priority: 200

I just got my blue polo from the OpenNMS guys, and had to write a quick post on the certificate included in the package. It says: