Defer kernel updates until the corresponding “linux-headers” package is available


I'm using Debian 12 Bookworm, and currently, when I run uname -a, it shows:

Linux pctxd 6.1.0-20-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.85-1 (2024-04-11) x86_64 GNU/Linux

The package linux-image-6.1.0-21-amd64 and related packages are ready to install. However, the corresponding linux-headers-6.1.0-21-amd64 package is not available. Without these headers, the Nvidia drivers can't be compiled, rendering the graphical user interface non-functional—something I learned the hard way during the last upgrade to 6.1.85-1.

Running aptitude show yields:

Package: linux-image-6.1.0-21-amd64      
Version: 6.1.90-1
New: yes
State: not installed
Priority: optional
Section: kernel
Maintainer: Debian Kernel Team <[email protected]>
Architecture: amd64
Uncompressed Size: 408 M
Depends: kmod, linux-base (>= 4.3~), initramfs-tools (>= 0.120+deb8u2) | linux-initramfs-tool
Recommends: firmware-linux-free, apparmor
Suggests: linux-doc-6.1, debian-kernel-handbook, grub-pc | grub-efi-amd64 | extlinux
Conflicts: linux-image-6.1.0-21-amd64-unsigned
Breaks: fwupdate (< 12-7), initramfs-tools (< 0.120+deb8u2), wireless-regdb (< 2019.06.03-1~)
Replaces: linux-image-6.1.0-21-amd64-unsigned
Provides: $kernel (= 6.1.90-1)

Just now, web page Package: linux-headers-6.1.0-21-amd64 seems to describe the missing package, but clicking the “list of files” button results in a error page with the information “No such package in this suite on this architecture.”

Currently, there is another Security update (regarding libglib2.0) waiting. So, the time lag between the kernel security update and the linux header files necessary for my graphic UI is a increasing risk.

For future updates: Is there a way to automatically defer the kernel update until the linux-headers package is available but process the security updates of other packages?

Best Answer

The kernel image and headers packages come from the same source package, so they are available simultaneously on the mirror network (barring failures on a specific mirror). If you follow the amd64 link on the linux-headers-6.1.0-21-amd64 package page, you’ll find a package download link which works; that’s the package which apt will download. Examining the package pool shows that all the amd64 packages for 6.1.90-1 were uploaded at the same time, 2024-05-03 21:54.

The package file list is unfortunately not particularly reliable for packages which aren’t in the main archive — the latest Debian 12 kernel package was published in the security archive.

Given the many different scenarios around kernel image and headers package, it isn’t possible to introduce dependencies between them such that one could guarantee that an image package is only installed if its matching headers package is also installed. In any case that still wouldn’t ensure smooth updates for NVIDIA users — what matters there is whether the NVIDIA module is successfully built, and that can fail with matching kernel packages.