What I mean by the title of this post is that sometimes ubuntu folks push security updates to $release-updates repository. I’m told this is so that they propagate faster across all the mirrors. So, when that happens, to APT they look as coming from $release-updates repository ONLY.
Which means unattended-upgrade is fooled into thinking there are no security updates available and so it never installs them automatically despite all the configuration instructing it to do so.
Good thing my little software updates report script can show these security updates regardless, that’s how I know about this.
The trick to dealing with this quirk is as simple as to have a separate APT sources list file for security repositories. You then need to pass this file as an argument to apt commands with the help of the -o flag.
sudo sh -c 'grep ^deb /etc/apt/sources.list |grep securi >> /etc/apt/sources.security.repos.only.list'
apt-get -s dist-upgrade -o Dir::Etc::SourceList=/etc/apt/sources.security.repos.only.list