diff options
| author | Date Huang <tjjh89017@hotmail.com> | 2026-07-14 14:10:41 +0800 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2026-07-16 21:23:07 +0200 |
| commit | 2a4632a0206084eaf6d8baba082b6f636e57d56a (patch) | |
| tree | 5afa0a2d4286e53e768f707245dd930f3f8bb10b /.github/workflows/codeql.yml | |
| parent | 5e2e9a3375a0ec3845822702fb255ac03e2b661f (diff) | |
| download | vyos-build-2a4632a0206084eaf6d8baba082b6f636e57d56a.tar.gz vyos-build-2a4632a0206084eaf6d8baba082b6f636e57d56a.zip | |
openssl: T9083: fix APT detected package downgrade despite identical versions
VyOS rolling APT repo (packages.vyos.net/repositories/rolling) publishing its
own openssl/libssl3 packages, pinned at priority 600 (higher than Debian's 500)
causes a "poisoning" of the APT cache policy inside the chroot:
openssl:
Installed: 3.0.20-1~deb12u2
Candidate: 3.0.20-1~deb12u2
Version table:
* 3.0.20-1~deb12u2 500 <- debian bookworm + bookworm-security
* 3.0.20-1~deb12u2 600 <- packages.vyos.net rolling (same version string, higher pin)
* 3.0.17-1~deb12u2 500 <- bookworm-updates
This results in APT seeing a version-string tie between Debian's build and the
VyOS repo build of the same package and, because of the pin-priority swap,
classifies switching to the VyOS repo copy as a "downgrade".
This is fixed by appending a clear VyOS related marked to the package version,
preventing any possible downgrade detection.
Signed-off-by: Date Huang <tjjh89017@hotmail.com>
Co-authored-by: Christian Breunig <christian@breunig.cc>
Diffstat (limited to '.github/workflows/codeql.yml')
0 files changed, 0 insertions, 0 deletions
