how to get unattended-upgrade to obey apt pinned packages?

Question

the unattended-upgrade package which is useful for keeping in sync with security updates, seems to override pinned packages, thereby breaking my system regularly, and me having to uninstall it (thereby making my system less secure).

I see this with the firefox package. I am trying to use the package from mozilla and have it pinned as such, to not use the snap package. It regularly gets "upgraded" (due to epoch) to the snap package, it took me a while to figure out why, but figured it out via history.log

Start-Date: 2024-05-16  10:19:05
Commandline: /usr/bin/unattended-upgrade
Upgrade: firefox:amd64 (125.0.3~build1, 1:1snap1-0ubuntu5)
End-Date: 2024-05-16  10:19:07

Start-Date: 2024-05-29  06:39:37
Commandline: /usr/bin/unattended-upgrade
Upgrade: firefox:amd64 (126.0~build2, 1:1snap1-0ubuntu5)
End-Date: 2024-05-29  06:39:38

apt/aptitude don't have this problem as they obey my pins, but unattended-upgrade does not.

Package: *
Pin: origin packages.mozilla.org
Pin-Priority: 1000

Answer 1

It's an unfixed bug in unattended-upgrades:

• https://github.com/mvo5/unattended-upgrades/issues/319
• https://github.com/mvo5/unattended-upgrades/issues/368
• https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/2033646

The proper workaround is to allow all origins (repositories) for automatic upgrades:

/etc/apt/apt.conf.d/99unattended-upgrades-custom:

Unattended-Upgrade::Origins-Pattern {
    "origin=*";
};

Which may probably be what you want anyway.