Re: Why does my system download directly from security-cdn.debian.org?

To: Debian User Mailing List <debian-user@lists.debian.org>
Subject: Re: Why does my system download directly from security-cdn.debian.org?
From: Roberto C. Sánchez <roberto@debian.org>
Date: Sun, 8 Mar 2020 15:26:54 -0400
Message-id: <[🔎] 20200308192654.GB7343@connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, Debian User Mailing List <debian-user@lists.debian.org>
In-reply-to: <75be2f56-a700-11e8-9b6a-00163eeb5320@msgid.mathom.us>
References: <20180823171626.vgf3enpeysdqn2hz@santiago.connexer.com> <75be2f56-a700-11e8-9b6a-00163eeb5320@msgid.mathom.us>

On Thu, Aug 23, 2018 at 02:20:36PM -0400, Michael Stone wrote:
> On Thu, Aug 23, 2018 at 01:16:26PM -0400, Roberto C. Sánchez wrote:
> > deb http://apt-cache.localdomain:3142/security/ stretch/updates main contrib non-free
> > deb http://apt-cache.localdomain:3142/debian/ stretch main non-free contrib
> 
> apt-cacher would typically be used by putting something like
> Acquire::http::Proxy "http://apt-cache.localdomain:3142/";
> in /etc/apt.conf or a file in apt.conf.d and then putting the usual urls in
> sources.list (http://http.us.debian.org/debian/ or whatever; see
> /usr/share/doc/apt-cacher-ng/examples/000apt-cacher-ng-proxy). apt-cacher
> then transparently caches the requests. What's probably happening is that
> redirects are being sent which the cacher expects to intercept as the proxy,
> but you're not using it as a proxy.
> 
So, I finally got around to sorting this out*.

When I first tried the Acquire::http::Proxy configuration I started
getting 403 errors related to the InRelease file from the security
archive.  The normal archive had no issues at all.  I poked around for
quite a while (looked at log files, Google searches, man pages, etc.)
and figured out that I also needed update the "debsec" mirror in my
apt-cacher-ng configuration to be "http://security-cdn.debian.org/";
instead of "http://security.debian.org/";.  Once that was done, the 403
errors were all resolved.

At that point I was able to update the configurations of all of my
machines, all of my VMs, and all of my schroot/pbuilder/cowbuilder
environments.  As a bonus, I also found that now I can enter 
"http://apt-cache.localdomain:3142/"; as the http_proxy address to the
Debian installer (for example, when creating a new VM) and it will use
the apt-cacher-ng instance for all package downloads.  Previously, I
would enter http://apt-cache.localdomain:3142/debian/ as the mirror
address, but the installer still used http://security.debian.org/ for
the security mirror (and it seems this cannot be changed).  That was
alays a bit annoying the further one gets from a point release as the
number of packages in the security archive builds up.  Even more
annoying is that if you tell the installer to not use a network mirror,
it still tries to reach the security mirror over the network.  I did not
realize this and actually chewed through most of a month's quota
installing a VM recently.  That was what finally motivated me to figure
this out and fix all of my configurations.

In any event, I wanted to follow-up here in case anybody else later
searches for something like "apt-cacher-ng 403" because of the
security-cdn issue.

Regards,

-Roberto

[*] As of a few months ago I am on a metered Internet connection and so
I became motivated to figure this out so that I could update all the
machines on my network without obliterating my quota.

-- 
Roberto C. Sánchez

Reply to:

Prev by Date: Re: “No application currently records sound.”
Next by Date: Problem with GPU Randeon Vega 8 Graphics from AMD Ryzen 3 3200G
Previous by thread: Ralink RTL8192EU on Buster
Next by thread: Problem with GPU Randeon Vega 8 Graphics from AMD Ryzen 3 3200G
Index(es):
- Date
- Thread