Add APT pinning for "postgresql" package

[tianon]

We had a confusing report that postgres:12 contained PostgreSQL 13 -- we weren't able to reproduce, but the reporter mentioned "debugging what's wrong with my dockerfiles" (#799) so the best we can figure is that they somehow ended up installing postgresql (either directly or indirectly via Depends:).

This adds APT pinning to ensure that can't succeed unless installing postgresql will give the same major version as the current image.

I'm honestly a little bit on the fence here -- there's a solid argument to be made for blocking this metapackage entirely instead (since installing it could bring a totally different install and/or version of PostgreSQL, in extreme cases).

I could also see an argument for creating our own mini virtual package and installing it instead, but IMO that's really a bridge too far.

I think it would probably also be useful for us to test blocking all the relevant Debian-provided packages, since they're low-hanging fruit that's not what we're after.

[tianon]

I think it would probably also be useful for us to test blocking all the relevant Debian-provided packages, since they're low-hanging fruit that's not what we're after.

This would be easier if we had APT 1.9.11+ and could thus pin by source package, but the packages we need to worry the most about start consistently with postgresql- or libpq (https://packages.debian.org/source/buster/postgresql-common, https://packages.debian.org/source/buster/postgresql-11, https://packages.debian.org/source/sid/postgresql-13), so it's not too bad. 😄

[df7cb]

This might add "too much magic", though.

If you go that route, I'd move the comment inside the installed file to people looking around can see the rationale better.

[tianon]

Yeah, that's fair -- we did something similar in PHP a few years ago in docker-library/php#542, and it did lead to some confusion, but mostly it helped folks find bugs in their own assumptions (and those who weren't willing to find bugs just figured out the rm line they needed to be able to keep plugging their ears 🙉).

I guess if we include Explanation:, there's a chance APT displays the rationale directly when it fails to install? (I haven't tested that much - I don't typically need an explanation when I use pinning on my own system. 😅)

Edit: nope 😞

[tianon]

(Updated to embed the Explanation: comment in the file in the image and to block PostgreSQL-related packages from Debian's repo, but I'm definitely still on the fence with this change.)

[tianon]

Also somewhat related: #677 + #678 (comment) (but in that case we decided the pinning wasn't necessary, I believe because libpq appears to be compatible such that it just needs to be "recent" ?)

Edit: further context - current postgres:12 does contain libpq 13, even though libpq 12 is in the ...-pgdg/12 repo it includes because ...-pgdg/main includes 13

[yosifkit]

Yes, this is a bit overreactive, so I think we should revisit this if it becomes a problem for a larger set of users.