Cannot downgrade linux-image-amd64

Some time ago, I wanted to try the 5.10.127-2~bpo10+1 kernel on Debian 10 Buster system.

However, that kernel was not maintained nor patched by Debian any longer.

Now, new 4.19.x kernels no longer upgrade automatically, as the linux-image-amd64 package is version 5.10.127-2~bpo10+1.

When I try to downgrade back to 4.19.169-1, so the 4.19.x line of kernels would upgrade automatically, I get:

root@domac:~# apt-get -t buster -s install linux-image-amd64
Reading package lists... Done
Building dependency tree
Reading state information... Done
linux-image-amd64 is already the newest version (5.10.127-2~bpo10+1).

I know of the --allow-downgrades option, but the manual says it is dangerous and it can do damage to the system without asking any questions:

   --allow-downgrades
       This is a dangerous option that will cause apt to continue without prompting if it is doing downgrades. It should not be used except in very
       special situations. Using it can potentially destroy your system! Configuration Item: APT::Get::allow-downgrades. Introduced in APT 1.1.

I could try

root@domac:~# apt-get -t buster -s --allow-downgrades install linux-image-amd64

However, I am not sure that this will be safe on a production machine. In simulation as non-root, it did not downgrade nor reinstall linux-image-amd64 version 4.19.269-1:

username@domac:~$ apt-get -t buster -s --allow-downgrades install linux-image-amd64
NOTE: This is only a simulation!
      apt-get needs root privileges for real execution.
      Keep also in mind that locking is deactivated,
      so don't depend on the relevance to the real current situation!
Reading package lists... Done
Building dependency tree
Reading state information... Done
linux-image-amd64 is already the newest version (5.10.127-2~bpo10+1).

Thank you very much for all help.

NOTE:

On CentOS clones and rpm packaging, I could downgrade kernel with:

# rpm -ivh --oldpackage ./kernel-<version>-<build>.rpm

Successfully done that many times, but I can't seem to find a .deb apt package equivalent.

Indeed downgrading a package is never guaranteed. But for this specific case, the linux-image-amd64 is an almost empty metapackage used only for its dependency to the actual kernel package. Such downgrade won't be dangerous.

Stating the intended version or release (until Debian 11 there was no separate -security codename so it's just buster not buster-security) will take care of forcing the intended version/release without forcing a downgrade on any other package (it would fail instead if it was needed):

apt-get install linux-image-amd64/buster

(Today) this will pull package linux-image-4.19.0-23-amd64 which is the actual 4.19.269 kernel (plus Debian changes), but 4.19.282 is in the pipeline.

Some notes about support and security.

• backported packages don't have any security guarantee.

• Debian 10 is now in its LTS phase, with more limited support on a more limited set of packages. One could assume base packages such the kernel still get security support, but might not get all support.

  For example on this page: https://security-tracker.debian.org/tracker/source-package/linux one can see that:

  • the entry for CVE-2023-28466 has been ignored for Debian 10's kernel while it has been fixed for Debian 11's kernel.
  • at the same time (at least today), CVE-2023-31436 has been fixed in yet-to-be-released next Debian 10's kernel 2 days ago, while it doesn't appear yet available for Debian 11.

  Often, but not always, it depends on availability of the fix on upstream source since kernel is one to still track more closely than other packages upstream source.

Anyway it's a good idea to plan now about upgrading to Debian 11.