Pin all packages from packages.sury.org APT source on Debian with lower priority

[hostingnuggets]

I suggest lowering the APT source pin priority of the packages.sury.org repository on Debian installations so that only the required packages for PHP 7.1+ gets automatically installed/upgraded and nothing else.

This would be as simple as adding the pin parameter to ::apt:source in the manifests/repo/debian.pp file as such:

    ::apt::source { 'sury_php_7':
      location => 'https://packages.sury.org/php/',
      release  => $facts['os']['lsb']['codename'],
      repos    => 'main',
      pin      => '400',
...

Without lowering the Pin-Priority then the next apt-get upgrade on a Debian system will want to install newer packages coming from the packages.sury.org repository instead of the official Debian repo such as libgd3 libpcre3 libssl1.1 openssl. This is not wanted.

[c33s]

sounds good to me. even better would be to allow to configure the pinning.

[hostingnuggets]

@c33s I was going to say that but forgot to mention it :+1:

[hostingnuggets]

It is indeed important to allow configuring pinning as I just found out that if the pinning (to a lower priority) is configured before installing for example PHP 7.2 it will fail because in this specific case the php7.2-cli package requires a newer version of the libpcre3 package which is only available in the packages.sury.org repo as you can see here from the output

The following packages have unmet dependencies:
 php7.2-cli : Depends: libpcre3 (>= 2:8.41) but 2:8.39-3 is to be installed
E: Unable to correct problems, you have held broken packages.

So it is a bit more complex than what I thought. For instance pinning should be configured after having installed PHP and not before.