Discussion:
Bug#1012174: Inconsistent advice wrt security archive
(too old to reply)
David Prévot
2022-05-31 12:40:01 UTC
Permalink
Package: www.debian.org,release-notes
Severity: normal
X-Debbugs-Cc: ***@security.debian.org

Hi teams,

The [errata] advises one to use

deb http://security.debian.org/debian-security bullseye-security main contrib non-free

while the [release-notes] advises

deb https://deb.debian.org/debian-security bullseye-security main contrib

Even if both will have the same result (the last time a non-free package
was uploaded to the security archive may have been during Etch), having
two different official advice makes it difficult in some situation
(“what should we actually use?”). Is the use of HTTPS via deb.d.o
preferable over HTTP via security.d.o? If so maybe the errata should be
updated, if it’s the other way around, the realease-notes should be
updated.

errata: https://www.debian.org/releases/stable/errata#security
release-notes: https://www.debian.org/releases/stable/amd64/release-notes/ch-information#security-archive

Regards

David
Julien Cristau
2022-05-31 13:10:01 UTC
Permalink
Post by David Prévot
Package: www.debian.org,release-notes
Severity: normal
Hi teams,
The [errata] advises one to use
deb http://security.debian.org/debian-security bullseye-security main contrib non-free
while the [release-notes] advises
deb https://deb.debian.org/debian-security bullseye-security main contrib
Even if both will have the same result (the last time a non-free package
was uploaded to the security archive may have been during Etch), having
two different official advice makes it difficult in some situation
(“what should we actually use?”). Is the use of HTTPS via deb.d.o
preferable over HTTP via security.d.o? If so maybe the errata should be
updated, if it’s the other way around, the realease-notes should be
updated.
errata: https://www.debian.org/releases/stable/errata#security
release-notes: https://www.debian.org/releases/stable/amd64/release-notes/ch-information#security-archive
The release-notes version is preferred, as far as scheme and hostname.

I don't have a particular opinion (and definitely not an authoritative
one) on listing non-free, but there's precedent of shipping
intel-microcode updates via the security archive, much more recently
than etch.

Cheers,
Julien
Brian Potkin
2022-05-31 15:20:01 UTC
Permalink
Post by Julien Cristau
Post by David Prévot
Package: www.debian.org,release-notes
Severity: normal
Hi teams,
The [errata] advises one to use
deb http://security.debian.org/debian-security bullseye-security main contrib non-free
while the [release-notes] advises
deb https://deb.debian.org/debian-security bullseye-security main contrib
Even if both will have the same result (the last time a non-free package
was uploaded to the security archive may have been during Etch), having
two different official advice makes it difficult in some situation
(“what should we actually use?”). Is the use of HTTPS via deb.d.o
preferable over HTTP via security.d.o? If so maybe the errata should be
updated, if it’s the other way around, the realease-notes should be
updated.
errata: https://www.debian.org/releases/stable/errata#security
release-notes: https://www.debian.org/releases/stable/amd64/release-notes/ch-information#security-archive
The release-notes version is preferred, as far as scheme and hostname.
There appears to be a consensus in favour of https. For example:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992692#37

Regards,

Brian.
Richard Lewis
2023-05-01 14:40:02 UTC
Permalink
Post by Brian Potkin
Post by Julien Cristau
Post by David Prévot
The [errata] advises one to use
deb http://security.debian.org/debian-security bullseye-security main contrib non-free
while the [release-notes] advises
deb https://deb.debian.org/debian-security bullseye-security main contrib
errata: https://www.debian.org/releases/stable/errata#security
release-notes: https://www.debian.org/releases/stable/amd64/release-notes/ch-information#security-archive
The release-notes version is preferred, as far as scheme and hostname.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992692#37
In release-notes the only http:// i could find was in en/upgrading.dbk
(apart from inside xmlns markup)
https://salsa.debian.org/ddp-team/release-notes/-/merge_requests/160
has just been submitted to update this to https

I dont think the 'errata' page above is in the release-notes repository (?)
Paul Gevers
2023-05-03 20:00:01 UTC
Permalink
Hi Richard,
Post by Richard Lewis
I dont think the 'errata' page above is in the release-notes repository (?)
That's correct, but that's also why the original reporter filed the bug
against both www.debian.org and release-notes.

It lives here:
https://salsa.debian.org/webmaster-team/webwml/-/blob/master/english/releases/bookworm/errata.wml

Paul
Richard Lewis
2023-05-08 08:50:01 UTC
Permalink
Post by Paul Gevers
Hi Richard,
Post by Richard Lewis
I dont think the 'errata' page above is in the release-notes repository (?)
That's correct, but that's also why the original reporter filed the bug
against both www.debian.org and release-notes.
thanks - didn't know that was even a possibility!
Post by Paul Gevers
https://salsa.debian.org/webmaster-team/webwml/-/blob/master/english/releases/bookworm/errata.wml
MR for that file submitted @
https://salsa.debian.org/webmaster-team/webwml/-/merge_requests/903
Loading...