When using multiple third party Debian package repositories…

… one could get paranoid, that a third party repository could publish Debian packages, that mask out Debian’s own packages.

I’m particularily concerned that Google could get the idea that it knows better than everybody else and replace Debian’s packages by its own versions…

So I have set up repository pinning in such a way, that:

  1. security packages always have the highes priority. That is: given a higher version number of a package that is already installed or a new package to be installed the package from the security repository gets installed by preference.

  2. the next highest priority belongs to the repository of a well known Debian developper that is publishing multi-media packages. They contain codecs that Debian won’t publish and I want to have his packages installed so that I can consume the respective media content.

  3. next come the packages from Debian itself

  4. then come all third party repositories

  5. and the lowest priority goes with backported packages. Which means, unless another package explicitly asks for a new version I never want to install backported packages. That’s because I deem packages in the main repository to be generally better supported.

There’s a lot of usefule info on pinning on its respective Debian Wiki page and more details in the apt_preferences man page.

Here’s my /etc/apt/preferences.d/99-my-policy that should correspond to the above policy.

# execute `apt-cache policy` to see effective per repo policies
# see https://wiki.debian.org/AptConfiguration

# debian security has top prio
Package: *
Pin: origin security.debian.org
Pin-Priority: 503

# install packages with additional codecs, if available
Package: *
Pin: origin www.that-multimedia-repository.org
Pin-Priority: 502

# stuff from debian has higher prio than 3rd party repos
Package: *
Pin: origin ftp.ch.debian.org
Pin-Priority: 501

# default prio of everything else is 500
# * Google Chrome etc.

# default prio of backports is 100
Package: *
Pin: release o=Debian Backports
Pin-Priority: 100