howto/upgrades.md

@@ -132,6 +132,18 @@ Those packages are currently blocked from automatic upgrades in `unattended-upgr
   defined, by running `dpkg-reconfigure grub-pc`. this issue might
   actually have been fixed in the package, see [issue 40185](https://gitlab.torproject.org/tpo/tpa/team/-/issues/40185).
 
+Packages are blocked from upgrades when they cause significant
+breakage during an upgrade run, enough to cause an outage and/or
+require significant recovery work. This is done through Puppet, in the
+`profile::unattended_upgrades` class, in the `blacklist` setting.
+
+Packages can be unblocked if and only if:
+
+ * the bug is confirmed as fixed in Debian
+ * the fix is deployed on all servers and confirmed as working
+ * we have good confidence that future upgrades will not break the
+   system again
+
 ### Kernel upgrades and reboots
 
 Sometimes it is necessary to perform a reboot on the hosts, when the