A while ago I realised, that some of my ubuntu systems, most of them nspawn containers, don’t receive any updates. I didn’t really care about the containers but as I realised that one of my internet facing host is also affected, I began to search. I searched on https://packages.ubuntu.com/ for the newest kernel and locally with apt-cache policy linux-generic for the newest available on the system. Of course the kernel which apt listed was way older but at leased I thereby saw, that the kernel in the repos should come from the “security” list. All the systems had in common that I created them with debootstrap, most of them via a ansible role which explicitly adds universe as a component. I thought that was enough, but it leads to a sources.list with just the basic package list, leaving out the security and updates lists.

After I added them manually I got the ton of updates I was missing for something like a year.

deb http://de.archive.ubuntu.com/ubuntu focal main universe restricted
deb http://de.archive.ubuntu.com/ubuntu focal-security main universe restricted
deb http://de.archive.ubuntu.com/ubuntu focal-updates main universe restricted

Afterwards I read the manpage of debootstrap an figured out that it is not capable of bootstrapping from multiple sources. There is another tool called Multistrap for that, but it needs its information from a configfile and cannot be feeded via commandline parameters.

Update (20.09.2022): For the sake of completeness, the problem is the same for Debian systems and for systems with created with mkosi Here is the full file which contains all repositories:

deb http://deb.debian.org/debian bullseye main contrib non-free
deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
deb http://deb.debian.org/debian bullseye-updates main contrib non-free
# optional
deb http://deb.debian.org/debian bullseye-backports main contrib non-free