Don't use APT::Default-Release in Ubuntu unless you know what you are doing

Setting APT::Default-Release in Ubuntu blocks all future security fixes and updates.

This is related to all versions before Hardy (include). I haven't tested this on Intrepid so I'm not sure about those versions after Hardy.

According to apt_preferences manpage, the target release can be set on the apt-get command line or in the APT configuration file /etc/apt/apt.conf, and "APT::Default-Release "stable";" is given out as an example. This is a very common and popular practice used in Debian community to set the default release and using apt-pin, but doing this in Ubuntu leads to serious security impact with no obvious warning.

After setting APT::Default-Release to "hardy", which is the "Suite" name for main hardy source, no security fixes nor updates would be installed unless their priorities are also set explicitly in apt_preferences. This is because that in Ubuntu's world, security fixes are from "hardy-security" source and other updates are from "hardy-updates" source, which bear different "Suite" from the main source. Setting APT::Default-Release rises the priority of packages from main source to 990, but doesn't cover packages from hardy-security and hardy-updates, so the latter are ignored since their packages now has lower priority (priority 500 only) than those old ones in main source (990).

I set APT::Default-Release to "hardy" on Sep this year until I found this problem today. Removed that setting and I'm surprised to found that I can install 46 security fixes and updates accumulated. Which is pretty sad to me that got known I haven't got security fixes for more than 2 months.

This is a radical deviation from the Debian practice. In Debian all security fixes and updates bear the same "Suite" (etch or lenny) so setting APT::Default-Release to "etch" covers all security fixes and updates.

I think it's unlikely that Ubuntu changes the organization of it's source, so at least a fix to this problem is patching the apt_preferences manpage, alerting people not to use APT::Default-Release like they have used this in Debian and the reason and the following impacts.

I've opened a bug about this: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/295448

Install ATI's fglrx Catalyst 8.8 Driver (v 8.522) on Linux 2.6.27

The Linux kernel 2.6.27 has changed an API (smp_call_function()) that breaks compilation of ATI's Catalyst 8.8 fglrx driver. You get error like this:

/usr/src/fglrx-8.522/firegl_public.c:3080:50: error: macro "smp_call_function" passed 4 arguments, but takes just 3
/usr/src/fglrx-8.522/firegl_public.c: In function ‘__ke_flush_cache’:
/usr/src/fglrx-8.522/firegl_public.c:3080: error: ‘smp_call_function’ undeclared (first use in this function)
/usr/src/fglrx-8.522/firegl_public.c:3080: error: (Each undeclared identifier is reported only once
/usr/src/fglrx-8.522/firegl_public.c:3080: error: for each function it appears in.)
...

Loïc Minier has made a patch for Catalyst 8.7, and I've adapted it to Catalyst 8.8:

From 42a6390f599294c60a4960b0a6cd4e399b1a81ee Mon Sep 17 00:00:00 2001
From: Yan Li 
Date: Sun, 14 Sep 2008 17:45:48 +0800
Subject: [PATCH] patch for building on 2.6.27

ref: http://groups.google.com/group/linux.debian.bugs.dist/browse_thread/thread/6086b1cb7674fc43
---
 firegl_public.c |   15 +++++++++++----
 1 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/firegl_public.c b/firegl_public.c
index bdc94b2..d85a567 100644
--- a/firegl_public.c
+++ b/firegl_public.c
@@ -202,6 +202,13 @@
 #define preempt_enable()
 #endif
 
+/* Since 2.6.27 smp_call_function doesn't have a nonatomic/retry argument */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,27)
+#define SMP_CALL_FUNCTION(func, info, retry, wait) smp_call_function(func, info, wait)
+#else
+#define SMP_CALL_FUNCTION(func, info, retry, wait) smp_call_function(func, info, retry, wait)
+#endif
+
 // ============================================================
 /* globals */
 
@@ -3077,7 +3084,7 @@ int ATI_API_CALL __ke_flush_cache(void)
 {
 #ifdef __SMP__
     /* write back invalidate all other CPUs (exported by kernel) */
- if (smp_call_function(deferred_flush, NULL, 1, 0) != 0)
+ if (SMP_CALL_FUNCTION(deferred_flush, NULL, 1, 0) != 0)
   panic("timed out waiting for the other CPUs!\n");
 
     /* invalidate this CPU */
@@ -4796,7 +4803,7 @@ struct _agp_memory* ATI_API_CALL __ke_agp_allocate_memory_phys_list(
 void ATI_API_CALL KCL_CallFuncOnOtherCpus(firegl_void_routine_t func_to_call) 
 {
 #ifdef CONFIG_SMP
- smp_call_function( firegl_smp_func_parameter_wrap, (void*)func_to_call, 0, 1 );
+ SMP_CALL_FUNCTION( firegl_smp_func_parameter_wrap, (void*)func_to_call, 0, 1 );
 #endif
 }
 
@@ -4910,7 +4917,7 @@ static int ATI_API_CALL KCL_enable_pat(unsigned int save_orig_pat)
    }
 
 #ifdef CONFIG_SMP
-   if (smp_call_function(KCL_setup_pat, NULL, 0, 1) != 0)
+   if (SMP_CALL_FUNCTION(KCL_setup_pat, NULL, 0, 1) != 0)
        return 0;
 #endif
    KCL_setup_pat(NULL);
@@ -4929,7 +4936,7 @@ static void ATI_API_CALL KCL_disable_pat(void)
     }
 
 #ifdef CONFIG_SMP
-    if (smp_call_function(KCL_restore_pat, NULL, 0, 1) != 0)
+    if (SMP_CALL_FUNCTION(KCL_restore_pat, NULL, 0, 1) != 0)
        return;
 #endif
     KCL_restore_pat(NULL);
-- 
1.5.4.3

I suggest use the --buildpkg function of the ATI driver to build packages for your system. Those packages use dkms to build the kernel module needed. (For Debian/Ubuntu flavor Linux, I suggest use the way as described in https://help.ubuntu.com/community/BinaryDriverHowto/ATI.) Apply the above patch after installed the fglrx-kernel-source.*.deb to /var/lib/dkms/fglrx/8.522/source, then run "sudo dkms build -m fglrx -v 8.522" to build the kernel module.

Reference:
http://groups.google.com/group/linux.debian.bugs.dist/browse_thread/thread/6086b1cb7674fc43