Devuan bug report logs - #294
task-kde-desktop silently pulls in unattended-upgrades

Package: tasksel; Maintainer for tasksel is Devuan Dev Team <>;

Reported by: Olaf Meeuwissen <>

Date: Sun, 17 Feb 2019 11:33:01 UTC

Severity: normal

Full log

Message #5 received at (full text, mbox, reply):

Received: (at submit) by; 17 Feb 2019 11:30:03 +0000
Return-Path: <>
Received: from []
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Sun, 17 Feb 2019 12:30:03 +0100 (CET)
Received: from ( [])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by (Postfix) with ESMTPS id 39723F60927
	for <>; Sun, 17 Feb 2019 12:24:00 +0100 (CET)
Received: by (mose-mo-sw1505) id x1HBNvM1013181; Sun, 17 Feb 2019 20:23:57 +0900
Received: from quark (localhost [])
	by (mose-mbox1510) id x1HBNoQc027422
	for <>; Sun, 17 Feb 2019 20:23:50 +0900
Received: from olaf (uid 1000)
	id 18172e
	by quark (DragonFly Mail Agent v0.11);
	Sun, 17 Feb 2019 20:23:49 +0900
User-agent: mu4e 0.9.18; emacs 25.1.1
From: Olaf Meeuwissen <>
Subject: task-kde-desktop silently pulls in unattended-upgrades
Date: Sun, 17 Feb 2019 20:23:48 +0900
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
[Message part 1 (text/plain, inline)]
Package: tasksel
Version: 3.48+devuan1

This came up on the mailing list[1] and Katolaz asked if I could submit
a bug report against this package so it would not be forgotten.


The general consensus on the mailing list was that unattended-upgrades
should not "slip in a standard Devuan install unnoticed".

On the mailing list I provided details based on ASCII but I figured it
would be more useful to look at beowulf.  The following is based on an
up-to-date (2019-02-17) Docker image[2].

 [2]: docker pull

First off, I must say that the approach I used on the mailing list is
flawed.  It does not handle the case of alternatives correctly as it
chases down dependency relations for *all* listed alternatives.  This
leads to false positives.

# All desktop tasks listed all desktop tasks as their dependencies in
# the case Recommends: are allowed :-/

So I followed a slightly different approach and did dry-run installs in
my devuan/slim:beowulf Docker image.

After installing tasksel, I ran

  tasksel --list-tasks \
    | awk '$2 ~ /desktop/ { print $2 }' \
    | while read task; do
        package=$(tasksel --task-packages $task)
        apt-get --dry-run install --install-recommends \
                $package > $package.install-recommends-dry-run
  grep -l unattended-upgrades *.install-recommends-dry-run

That yielded


So the KDE desktop task is the only supported Devuan desktop tasks that
would "slip in unattended-upgrades unnoticed".

I've attached the output of

  apt-cache depends --recurse --no-suggests --no-conflicts --no-breaks \
            --no-enhances --no-replaces task-kde-desktop

so you check for yourself but unattended-upgrades gets pulled in via a
rather complex dependency chain that may not be easy to break :-/

# Much, much more so with beowulf than in ascii.

I think the easiest way to get out of this "mess" is to downgrade the
dependency on unattended-upgrades from a Recommends: to a Suggests: in

Hope this helps,
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Software              
 Join the Free Software Foundation    
[task-kde-desktop.depends (text/plain, attachment)]

Send a report that this bug log contains spam.

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <>.
Last modified: Wed Sep 30 07:12:23 2020;