Mozillateam-Firefox Silently Replaced by Snap-Firefox in Spite of Lower Priority
(this is a rewrite of the original question as suggested in the comments)
I’m running Ubuntu 22.04 and am using firefox from the mozillateam ppa. My setup has ppa-firefox at priority 1001 (as suggested here) and my snap-firefox at priority 500 (default). Today, unattended-upgrades silently replaced my ppa-firefox with snap-firefox and I have trouble figuring out why.
I managed to reinstall my ppa-firefox with a simple apt-get remove firefox; apt-get install firefox so I suspect the priorities are working, but unattended-upgrade somehow didn’t respect them. The question is why?
Here’s my ppa-firefox app-pin:
$ cat /etc/apt/preferences.d/mozilla-firefox
Package: *
Pin: release o=LP-PPA-mozillateam
Pin-Priority: 1001
Here’s my current apt-cache policy after reinstalling firefox:
# apt-cache policy firefox
firefox:
Installed: 120.0+build1-0ubuntu0.22.04.1~mt1
Candidate: 120.0+build1-0ubuntu0.22.04.1~mt1
Version table:
1:1snap1-0ubuntu2 500
500 http://de.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
*** 120.0+build1-0ubuntu0.22.04.1~mt1 1001
1001 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu jammy/main amd64 Packages
100 /var/lib/dpkg/status
The unattended-upgrades-log admits it:
$ grep 'Unpacking firefox' /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
Unpacking firefox (1:1snap1-0ubuntu2) over (119.0.1+build1-0ubuntu0.22.04.1~mt1)
EDIT: I have since given priority -1 to both snap and snap-firefox, as suggested in comments and answers to the questions above. So, I suppose this is fixed, but the question why unattended-upgrades replaced my ppa-firefox in spite of its higher priority (1001 > 500) remains open.
The entry for pinning is not enough, you need to de-prioritize the DEB package from the sources as well.
The following steps should work:
- uninstall the Firefox installed via the PPA (if still present).
- disable the PPA
- uninstall the Firefox from the sources:
sudo apt remove firefoxsudo snap remove firefox
- create a file like mozillateam under /etc/apt/preferences.d
- add the following content to the file:
Package: *
Pin: release o=LP-PPA-mozillateam
Pin-Priority: 100
Package: firefox*
Pin: release o=LP-PPA-mozillateam
Pin-Priority: 1001
Package: firefox*
Pin: release o=Ubuntu
Pin-Priority: -1
- add the Mozilla PPA again
sudo apt update- install the Firefox – should be pulled from PPA now
The unattended-upgrades-tool is configured by default to upgrade packages only from the distribution’s repositories. You can take a look at the configuration file /etc/apt/apt.conf.d/50unattended-upgrades.
The unattended-upgrades-tool does not know about packages from third party repositories unless you add them to the configuration file or add an extra configuration file which includes them.
Example for firefox:
echo 'Unattended-Upgrade::Allowed-Origins:: "LP-PPA-mozillateam:${distro_codename}";' | sudo tee /etc/apt/apt.conf.d/51unattended-upgrades-firefox
If you don’t add the repository to the configuration, the pinning you mention is worthless since the unattended-upgrades-tool does not know about the package and also don’t know about its pinning.
That’s why your firefox-package from the ppa got upgraded to the transitional firefox package from the ditibution repository which then pulls in the snap and all necessary dependencies like snapd. It’s only a question of version numbers in this case.