summaryrefslogtreecommitdiff
path: root/.github/workflows/codeql.yml
diff options
context:
space:
mode:
authorDate Huang <tjjh89017@hotmail.com>2026-07-14 14:10:41 +0800
committerChristian Breunig <christian@breunig.cc>2026-07-16 21:23:07 +0200
commit2a4632a0206084eaf6d8baba082b6f636e57d56a (patch)
tree5afa0a2d4286e53e768f707245dd930f3f8bb10b /.github/workflows/codeql.yml
parent5e2e9a3375a0ec3845822702fb255ac03e2b661f (diff)
downloadvyos-build-2a4632a0206084eaf6d8baba082b6f636e57d56a.tar.gz
vyos-build-2a4632a0206084eaf6d8baba082b6f636e57d56a.zip
openssl: T9083: fix APT detected package downgrade despite identical versions
VyOS rolling APT repo (packages.vyos.net/repositories/rolling) publishing its own openssl/libssl3 packages, pinned at priority 600 (higher than Debian's 500) causes a "poisoning" of the APT cache policy inside the chroot: openssl: Installed: 3.0.20-1~deb12u2 Candidate: 3.0.20-1~deb12u2 Version table: * 3.0.20-1~deb12u2 500 <- debian bookworm + bookworm-security * 3.0.20-1~deb12u2 600 <- packages.vyos.net rolling (same version string, higher pin) * 3.0.17-1~deb12u2 500 <- bookworm-updates This results in APT seeing a version-string tie between Debian's build and the VyOS repo build of the same package and, because of the pin-priority swap, classifies switching to the VyOS repo copy as a "downgrade". This is fixed by appending a clear VyOS related marked to the package version, preventing any possible downgrade detection. Signed-off-by: Date Huang <tjjh89017@hotmail.com> Co-authored-by: Christian Breunig <christian@breunig.cc>
Diffstat (limited to '.github/workflows/codeql.yml')
0 files changed, 0 insertions, 0 deletions