> > 1) Ask before attempting to get security updates. (Obviously default to > > yes). > > There's no good reason to ask. If the machine is network connected it > should make every possible effort to use security updates, doing > anything else is asking to be insecure. > > If you really want to disable it, you can preseed > apt-setup/security_host to an empty string, as documented in the > installation manual. > > > 2) Ask where to get them from. I have a local copy of them but there > > seems to be no way to tell the installer to use this local copy. > > apt-setup/security_host can be used to override this. > However, the security team doesn't like mirrors of security.debian.org, > and asking that kind of question in any regular install is counter to > our UI guidelines. We try to avoid asking questions when there's a > default that will work for 99.99% of users. I wonder whether we could have a kind of compromise here: -keep the current behaviour when a regular mirror has been chosen -at least ask for a proxy for security.d.o when the mirror settings have been entered manually In that latter case, it is very likely that the user has chosen a mirror which is internal to his/her organization. If we want to keep the behaviour where the installer always tries to reach security.d.o (and we do), we at least should do our best to be able to reach it. This is IMHO a quite common case in large organizations using Debian: machines are configured to use an internal mirror and will only use external repositories for security updates. At least, this is exactly the setup I use in my own organization...:-) That doesn't completely answer John's question (always ask whether security.d.o should be used...which I disagree with for default installs) but that would help in many setups. This proposed change is however not that hard to code as this implies to setup a per-host proxy setting in the generated apt settings.
Attachment:
signature.asc
Description: Digital signature