Correctly install security updates on Debian

[RealOrangeOne]

Currently, whilst Debian is advertised as supported, the unattended-upgrades configuration doesn't actually install security updates, which could leave users with vulnerable servers, even though they've installed a package designed to install security updates automatically.

This PR adds the Debian syntax for their security Origin, in a way which supports both Debian and Ubuntu-based distributions. Currently, it special-cases Debian, but I'm not opposed to special-casing both Debian and Ubuntu explicitly.

I would have gone through responsible-disclosure channels, as this has severe security ramifications with this change, however this is a very public issue already, but hasn't been resolved:

• Fixes unattended upgrades for Debian Buster, and possibly earlier... #81
• update templates Debian unattended-upgrades #91
• Unattended upgrades seems broken on Debian-10 #74
• Debian autoupdates not working. #57
• unattended-upgrades config is broken in Debian #32

#126 is a great start, however the default configuration should still install security updates, as mentioned in the README.

[wiene]

I also stumbled across this issue. I wonder whether it would be better to switch to the more powerful Unattended-Upgrade::Origins-Pattern apt configuration list rather than Unattended-Upgrade::Allowed-Origins. The drawback of the solution proposed in this PR is that it does not yield the desired behavior once the system turns from stable to oldstable.

[RealOrangeOne]

I can't see anything in the Origin for my packages which would help the switch from stable to oldstable:

<Origin component:'main' archive:'stable-security' origin:'Debian' label:'Debian-Security' site:'security.debian.org' isTrusted:True>

That seems imply changes to the configuration anyway - although I'm not sure what the stock Debian configuration looks like.

I'm all for using the updated syntax too where supported. If you can point me to a reference I'm happy to update my PR, in hopefully a backwards-compatible way!

[wiene]

The default configuration shipped with Debian Bookworm can be found here. The codename based matching used in these lines should work for a particular release independent from the archive it is presently in.

The comments in the default configuration file provide quite detailed information on the available configuration options and some more information can be found in the README file.

The Unattended-Upgrade::Origins-Pattern configuration option was introduced in 2011.

[RealOrangeOne]

aha, fantastic. My search-engine-fu wasn't up to scratch to find that. Yes porting to Origins-Pattern as the default sounds like the way to go. Ubuntu's default doesn't seem to use Origins-Pattern, but I should be able to work those out. I'll give it a play.