2

Summary

Pinned packages versions used to work, but stop working after some time.

I've pinned packages' versions to have stable CI/CD and reproducible builds. But these pinned versions may start to fail to install at any moment. Nonsense!

Steps to reproduce

  1. Pin packages versions. All works.
FROM python:3.10-slim-bullseye
RUN apt-get update -y \
    && apt-get install -y --no-install-recommends --no-upgrade \
    gcc=4:10.2.1-1 \
    g++=4:10.2.1-1 \
    git=1:2.30.2-1 \
    curl=7.74.0-1.3+deb11u2 \
    && apt-get -y autoremove && apt-get clean && rm -rf /var/lib/apt/lists/*
  1. Wait some time (a week, or a month, etc.)

The code used to work, but an error a month later:

#10 2.873 The following packages have unmet dependencies:
#10 2.939  curl : Depends: libcurl4 (= 7.74.0-1.3+deb11u2) but 7.74.0-1.3+deb11u3 is to be installed
#10 2.949 E: Unable to correct problems, you have held broken packages.

What is going on?

Debian removes some packages versions?

Am I pinning my requirements in a wrong way?

I've fixed my build by writing curl=7.74.0-1.3+deb11u3, but I still do not understand why I can not pin packages' versions forever to have reproducible builds.

Nairum
  • 121
  • 3

1 Answers1

2

I was also facing this issue when trying to build docker images with pinned dependencies. I ended up pinning the version but ignoring the deb-version:

RUN apt-get update -y && apt-get install --no-install-recommends -y curl=7.74.0-1.3* libcurl4=7.74.0-1.3*

You could probably also ignore everything that comes after the minor version, like this:

RUN apt-get update -y && apt-get install --no-install-recommends -y curl=7.74.0* libcurl4=7.74.0*
dom
  • 21