Subject: apt-get behaving differently between cli(bash) and cron-apt - how to debug?

Sorry, this is long because I've already spent lots of time failing to
resolve this before coming here...

I'll start with a quick summary, then follow with the condensed detail...

=== Summary

tldr; apt-get behaves differently when invoked from the cli(bash)
compared to from cron-apt...

from bash, it works as desired:

# /usr/bin/apt-get -o quiet=1 dist-upgrade --download-only --assume-yes --option APT::Get::Show-Upgraded=true --target-release '/^bookworm(|-security|-updates|-backports)$/'
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
The following packages were automatically installed and are no longer required:
ÿ <snip>
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
ÿ <snip>
The following NEW packages will be installed:
ÿ <snip>
The following packages will be upgraded:
ÿ <snip>
167 upgraded, 49 newly installed, 3 to remove and 0 not upgraded.ÿ ÿ ÿ ÿ
ÿ ÿ ÿ ÿ ÿ<= The desired information
Need to get 0 B/571 MB of archives.
After this operation, 977 MB of additional disk space will be used.
Download complete and in download only mode

but, from cron-apt, it errors on the value of --target-release:

CRON-APT ACTION: 4-backports
CRON-APT LINE: /usr/bin/apt-get -o quiet=1 dist-upgrade --download-only --assume-yes --option APT::Get::Show-Upgraded=true --target-release '/^bookworm(|-security|-updates|-backports)$/'
Reading package lists...
E: The value ''/^bookworm(|-security|-updates|-backports)$/'' is invalid
for APT::Default-Release as such a release is not available in the sources

... Q: how do I debug **why** apt-get is behaving differently? I
assume(is it?)ÿit's something to do with the apt configuration, but how
can I see that config? -o 'Debug::pkgInitialize=true' or -o 'Debug::pkgInitConfig=true' don't emit anything. (As a test, apt-get -o Debug::Acquire::http=true update does produce http debug on stdout.)

A: ?

==== Detail

I use cron-apt to tell me when updated packages are available to be
installed.

I've tried to extend it by adding a fourth action to show me what
updates are available from bookworm-backports too.

Now, if I just useÿ--target-release bookworm-backports, then apt-get
works from cron apt, but the output is wrong - it wants to downgrade a
load of packages, e.g.

# /usr/bin/apt-get -o quiet=1 dist-upgrade --download-only --assume-yes --option APT::Get::Show-Upgraded=true --target-release bookworm-backports Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
The following packages were automatically installed and are no longer required:
ÿ <snip>
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
ÿ <snip>
The following NEW packages will be installed:
ÿ <snip>
The following packages have been kept back:
ÿ <snip>
The following packages will be upgraded:
ÿ <snip>
The following packages will be DOWNGRADED:
ÿ <snip>
106 upgraded, 19 newly installed, 167 downgraded, 11 to remove and 2 not upgraded.ÿ ÿ ÿ <== 167 downgraded !?!? :-o
E: Packages were downgraded and -y was used without --allow-downgrades.

It's doing this because of how '--target-release bookworm-backports'
messes with the source priorities ...

# apt-cache policy --target-release bookworm-backports | grep main |
grep amd64
ÿ 50 http://deb.debian.org/debian testing/main amd64 Packages
ÿ ÿ ÿrelease o=Debian,a=testing,n=forky,l=Debian,c=main,b=amd64
ÿ500 http://deb.debian.org/debian-debug
bookworm-proposed-updates-debug/main amd64 Packages
ÿ ÿ ÿrelease v=12-updates,o=Debian,a=oldstable-proposed-updates-debug,n=bookworm-proposed-updates-debug,l=Debian
debug,c=main,b=amd64
ÿ500 http://deb.debian.org/debian-debug bookworm-debug/main amd64 Packages
ÿ ÿ ÿrelease
v=12.13,o=Debian,a=oldstable-debug,n=bookworm-debug,l=Debian debug,c=main,b=amd64
ÿ990 http://deb.debian.org/debian bookworm-backports/main amd64 Packages
ÿ ÿ ÿrelease o=Debian Backports,a=oldstable-backports,n=bookworm-backports,l=Debian Backports,c=main,b=amd64
1000 https://security.debian.org/debian-security bookworm-security/main
amd64 Packages
ÿ ÿ ÿrelease v=12,o=Debian,a=oldstable-security,n=bookworm-security,l=Debian-Security,c=main,b=amd64
ÿ500 https://deb.debian.org/debian bookworm-updates/main amd64 Packages
ÿ ÿ ÿrelease v=12-updates,o=Debian,a=oldstable-updates,n=bookworm-updates,l=Debian,c=main,b=amd64
ÿ500 http://deb.debian.org/debian bookworm/main amd64 Packages
ÿ ÿ ÿrelease
v=12.13,o=Debian,a=oldstable,n=bookworm,l=Debian,c=main,b=amd64

... so it puts bookworm-backports at 990, compared to bookworm/main and bookworm-updates at 500 and bookworm-security at 1000.

This results in it wanting to downgrade all the packages where the
version in bookworm-security (at priority 1000) is behind bookworm/main
or bookworm-updates (at priority 500), e.g. apache2...

# apt-cache policy --target-release bookworm-backports apache2
apache2:
ÿ Installed: 2.4.66-1~deb12u1
ÿ Candidate: 2.4.62-1~deb12u2
ÿ Version table:
ÿ ÿ ÿ2.4.66-2+b1 50
ÿ ÿ ÿ ÿ ÿ50 http://deb.debian.org/debian testing/main amd64 Packages
ÿ*** 2.4.66-1~deb12u1 500
ÿ ÿ ÿ ÿ 500 http://deb.debian.org/debian bookworm/main amd64 Packages
ÿ ÿ ÿ ÿ 100 /var/lib/dpkg/status
ÿ ÿ ÿ2.4.62-1~deb12u2 1000
ÿ ÿ ÿ ÿ1000 https://security.debian.org/debian-security bookworm-security/main amd64 Packages

... so it wants to downgrade apache2 from 2.4.66 to 2.4.62 which is in bookworm-security, because that's at a higher priority (1000) than the installed version (100/500).

To get the right behaviour, it's necessary to use the
regexÿ'/^bookworm(|-security|-updates|-backports)$/' so that all four
sources become equal at 990...

# apt-cache policy --target-release '/^bookworm(|-security|-updates|-backports)$/' | grep main | grep amd64
ÿ 50 http://deb.debian.org/debian testing/main amd64 Packages
ÿ ÿ ÿrelease o=Debian,a=testing,n=forky,l=Debian,c=main,b=amd64
ÿ500 http://deb.debian.org/debian-debug
bookworm-proposed-updates-debug/main amd64 Packages
ÿ ÿ ÿrelease v=12-updates,o=Debian,a=oldstable-proposed-updates-debug,n=bookworm-proposed-updates-debug,l=Debian
debug,c=main,b=amd64
ÿ500 http://deb.debian.org/debian-debug bookworm-debug/main amd64 Packages
ÿ ÿ ÿrelease
v=12.13,o=Debian,a=oldstable-debug,n=bookworm-debug,l=Debian debug,c=main,b=amd64
ÿ990 http://deb.debian.org/debian bookworm-backports/main amd64 Packages
ÿ ÿ ÿrelease o=Debian Backports,a=oldstable-backports,n=bookworm-backports,l=Debian Backports,c=main,b=amd64
ÿ990 https://security.debian.org/debian-security bookworm-security/main
amd64 Packages
ÿ ÿ ÿrelease v=12,o=Debian,a=oldstable-security,n=bookworm-security,l=Debian-Security,c=main,b=amd64
ÿ990 https://deb.debian.org/debian bookworm-updates/main amd64 Packages
ÿ ÿ ÿrelease v=12-updates,o=Debian,a=oldstable-updates,n=bookworm-updates,l=Debian,c=main,b=amd64
ÿ990 http://deb.debian.org/debian bookworm/main amd64 Packages
ÿ ÿ ÿrelease
v=12.13,o=Debian,a=oldstable,n=bookworm,l=Debian,c=main,b=amd64

... and so apt then correctly resolves on the version number alone.

That regex works when running apt-get from bash, but gives the error
when running it from cron-apt (see the summary at the top).

I haven't been able to work out why it's doing that.

I assume it's something to do with the configuration of apt-get that's different between the two environments?

I can't figure out what it might be (nothing jumps out from /usr/share/doc/apt/examples/configure-index).

I can't get debug working to see what the config actually is. It looks
as though Debug::pkgInitConfig=true or Debug::pkgInitialize=true ("This
one will dump the configuration space") should show me the config, but
adding these with -o or --option doesn't produce any debug output.

I'm expecting to see debug output on stdout/stderr, coz that's what
happens for 'apt-get -o Debug::Acquire::http=true update' - http debug
*is* seen on stdout/stderr.

'apt-get -o Debug::pkgInitialize=true update' just produces the regular output, same as plain 'apt-get update'.

Thanks,
Alan Dennis

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: apt-get behaving differently between cli(bash) and cron-apt - how to debug?

Alan Dennis (HE12026-01-14):

E: The value ''/^bookworm(|-security|-updates|-backports)$/'' is invalid for APT::Default-Release as such a release is not available in the sources

... Q: how do I debug **why** apt-get is behaving differently?

The presence of doubled quotes around this string seems to indicate that apt-get is getting the arguments including the quotes. A manual test
confirms it is exactly the way to reproduce the issue. This suggests the parsing of the command line is not handled by a shell.

Regards,

--
Nicolas George

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: apt-get behaving differently between cli(bash) and cron-apt - how to debug?

On Wed, Jan 14, 2026 at 11:48:10AM +0000, Alan Dennis wrote:

Sorry, this is long because I've already spent lots of time failing to resolve this before coming here...

I'll start with a quick summary, then follow with the condensed detail...

=== Summary

tldr; apt-get behaves differently when invoked from the cli(bash) compared
to from cron-apt...

[...]

... Q: how do I debug **why** apt-get is behaving differently? I assume(is it?)ÿit's something to do with the apt configuration, but how can I see that config? -o 'Debug::pkgInitialize=true' or -o 'Debug::pkgInitConfig=true' don't emit anything. (As a test, apt-get -o Debug::Acquire::http=true update does produce http debug on stdout.)

A: ?

Without looking too deeply into details, one strong candidate for
something behaving differently in cron than in your shell would
be the environment.
Specifically, apt-get names APT_CONFIG as an environment variable
pointing it to a config file. I'd try to unravel that first.
Perhaps you could sneak an "env > /tmp/foo" in your cron and then
compare that to your shell's session environment.
Cheers
--
t


--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: apt-get behaving differently between cli(bash) and cron-apt - how to debug?

On Wed, Jan 14, 2026 at 01:10:13PM +0100, Nicolas George wrote:

Alan Dennis (HE12026-01-14):

E: The value ''/^bookworm(|-security|-updates|-backports)$/'' is invalid for
APT::Default-Release as such a release is not available in the sources

... Q: how do I debug **why** apt-get is behaving differently?

The presence of doubled quotes around this string seems to indicate that apt-get is getting the arguments including the quotes. A manual test
confirms it is exactly the way to reproduce the issue. This suggests the parsing of the command line is not handled by a shell.

Sharp eye. This seems a hit.
Cheers
--
tom s


--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: apt-get behaving differently between cli(bash) and cron-apt - how to debug?

"oh flippin' 'eck"....

You're right... the fix is just to remove the quotes from the cron-apt
config - they're needed for the bash though.

Thanks for that! :-)

Cheers,
Alan Dennis

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)