Debian – apt package manager on Debian lists a package as upgradable but does not upgrade

aptdebianfirefoxupgrade

This issue is similar to Debian Linux not updating package, but in my case the newer package is not from backports:

§ apt list --upgradable
Listing... Done
firefox-esr-l10n-en-gb/stable 60.2.0esr-1~deb9u2 all [upgradable from: 52.9.0esr-1~deb9u1]
N: There is 1 additional version. Please use the '-a' switch to see it

§ sudo apt upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

§ apt policy firefox-esr-l10n-en-gb
firefox-esr-l10n-en-gb:
  Installed: 52.9.0esr-1~deb9u1
  Candidate: 60.2.0esr-1~deb9u2
  Version table:
     60.2.0esr-1~deb9u2 500
        500 http://security.debian.org stretch/updates/main amd64 Packages
 *** 52.9.0esr-1~deb9u1 500
        500 http://ftp.fr.debian.org/debian stretch/main amd64 Packages
        500 http://security.debian.org stretch/updates/main amd64 Packages
        100 /var/lib/dpkg/status

§ apt policy firefox-esr
firefox-esr:
  Installed: 52.9.0esr-1~deb9u1
  Candidate: 52.9.0esr-1~deb9u1
  Version table:
     60.2.0esr-1~deb9u2 500
        500 http://security.debian.org stretch/updates/main amd64 Packages
 *** 52.9.0esr-1~deb9u1 30000
        500 http://ftp.fr.debian.org/debian stretch/main amd64 Packages
        100 /var/lib/dpkg/status

§ apt -s install firefox-esr=60.2.0esr-1~deb9u2
NOTE: This is only a simulation!
      apt needs root privileges for real execution.
      Keep also in mind that locking is deactivated,
      so don't depend on the relevance to the real current situation!
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  firefox-esr-l10n-en-gb
Suggested packages:
  fonts-stix | otf-stix
The following packages will be upgraded:
  firefox-esr firefox-esr-l10n-en-gb
2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Inst firefox-esr-l10n-en-gb [52.9.0esr-1~deb9u1] (60.2.0esr-1~deb9u2 Debian-Security:9/stable [all]) []
Inst firefox-esr [52.9.0esr-1~deb9u1] (60.2.0esr-1~deb9u2 Debian-Security:9/stable [amd64])
Conf firefox-esr-l10n-en-gb (60.2.0esr-1~deb9u2 Debian-Security:9/stable [all])
Conf firefox-esr (60.2.0esr-1~deb9u2 Debian-Security:9/stable [amd64])

What does it mean? Why firefox-esr is not upgraded?

Update

After the answer by Stephen Kitt, I discovered a file /etc/apt/preferences.d/apt-listbugs, created this morning when I ran upgrades, with the following content:

Explanation: Pinned by apt-listbugs at 2018-09-11 08:11:30 +0200
Explanation:   #908396: firefox-esr: stopped working after upgrade from 59 to 60
Explanation:   #908449: (no subject)
Package: firefox-esr
Pin: version 52.9.0esr-1~deb9u1
Pin-Priority: 30000

What does it mean?

Best Answer

You have firefox-esr pinned to the currently-installed version with a very high priority:

 *** 52.9.0esr-1~deb9u1 30000

That prevents any other version with a lower pin priority from being installed, including the security update which only has priority 500:

     60.2.0esr-1~deb9u2 500

The pin comes from apt-listbugs: it decided (or was told — I think it always asks, but there may be some configurations where it doesn’t) that the upgrade to Firefox 60 should be put on hold until bugs 908396 and 908449 are fixed. Those bugs are related to the new requirement for SSE2 instructions on i386; since you’re running amd64, they don’t concern you, and it should be safe for you to upgrade.

You need to remove the pin priority for the upgrade to proceed. Delete /etc/apt/preferences.d/apt-listbugs, and if apt-listbugs asks you again, tell it that you do want to upgrade.

Related Question