Puppet: install packages from backports

In general, we rely on Debian - just the “stable” version.

As Debian is on a two year cycle for new stable releases, the second year tends to be a bit of a stretch: previously acceptable stable versions are now outdated, or known security issues are not patched, as the next release is already on its way.

In the most recent case, the latter happened to SSH:

Due to 7.9p1 being vulnerable to CVE-2019-16905, the package should be updated.

Luckily, the Debian Backports close this and provide (some) packages from the next stable release already on the current one.

To now use Puppet to install packages from the Debian Backports, APT pinning is configured in the APT preferences.

First, we add the backports repository, which is not too complicated - thanks to puppetlabs-apt:

  case $facts['os']['release']['major'] {
    '9','10': {
      $ensure = 'present'
      $location = 'http://deb.debian.org/debian'
    default: {
      $ensure = 'absent'
      $location = 'http://archive.debian.org/debian'
  apt::source { 'debian-backports':
    ensure   => $ensure,
    location => $location,
    repos    => 'main contrib non-free',
    release  => "${facts['lsbdistcodename']}-backports",

Now we pin the OpenSSH packages to the backports release:

  $pin_packages = [
  apt::pin { 'ssh_backports':
    ensure   => 'present',
    priority => 500,
    packages => $pin_packages,
    release  => "${facts['lsbdistcodename']}-backports",
      ensure => 'present',

The selected packages will now be installed from the backports repository.