[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debootstrap_1.0.120_source.changes ACCEPTED into unstable

Hi,

Debian FTP Masters <ftpmaster@ftp-master.debian.org> (2020-03-07):
>  debootstrap (1.0.120) unstable; urgency=medium
>  .
>    * Check codename for apt-transport-https (Closes: #920255, #879755)
>    * Add security mirror setting (Closes: #939852, #543819)

I'm not sure the latter is reasonable.

First off, debootstrap's goal is to build a basic Debian system. So
making this mandatory all of a sudden instead of introducing an option
that wouldn't be enabled by default doesn't strike me as a net win.

Plus I'm not sure how that will play with apt-setup. Or with any other
provisioning tool that either relies on or at least expects chroots to
be basic ones, as they've always been.


Anyway, looking at the implementation in:
  https://salsa.debian.org/installer-team/debootstrap/commit/517c9d09e89233bbc87f9c969a5d12ba94c024d8

+       if [ "$enable_security_mirror" = true ]; then
+               chroot "$TARGET" /usr/bin/apt-get update
+               chroot "$TARGET" /usr/bin/apt-get -y upgrade
+       fi

This will hang in case there's a prompt?

+       if [ "$suite" = oldstable ] || [ "$suite" = stable ] || [ "$suite" = testing ]; then
+               enable_security_mirror="true"
+       fi

This will break at the beginning cycle since the security suite for the
next release isn't created right away as far as I remember?

+               for c in ${COMPONENTS:-$USE_COMPONENTS}; do
+                       local cs c path pkgdest
+                       path="dists/$SECURITY_SUITE/$c/binary-$ARCH/Packages"
+                       pkgdest="$TARGET/$($DLDEST pkg "$SECUIRTY_SUITE" "$c" "$ARCH" "$SECURITY_MIRROR" "$path")"
+                       if [ -e "$pkgdest" ]; then cs="$cs $c"; fi
+               done

I don't think this was tested? ($SECUIRTY_SUITE)


Finally, looking at CI, runtime indeed doesn't look too good:

    E: The repository 'http://security.debian.org/debian-security buster/updates/updates Release' does not have a Release file.
    E: The repository 'http://security.debian.org/debian-security buster-updates/updates Release' does not have a Release file.
    autopkgtest [00:16:26]: test upgrade-all-security: -----------------------]
    autopkgtest [00:16:27]: test upgrade-all-security:  - - - - - - - - - - results - - - - - - - - - -
    upgrade-all-security FAIL non-zero exit status 100
    autopkgtest [00:16:27]: test upgrade-all-security:  - - - - - - - - - - stderr - - - - - - - - - -
    E: The repository 'http://security.debian.org/debian-security buster/updates/updates Release' does not have a Release file.
    E: The repository 'http://security.debian.org/debian-security buster-updates/updates Release' does not have a Release file.

(from <https://ci.debian.net/data/autopkgtest/testing/amd64/u/unattended-upgrades/4504830/log.gz>)


All in all, I don't think we want that in the next alpha release, so
I'll probably block debootstrap from migrating to testing (e.g. through
release team side hints) but I'm wondering whether this would even
warrant an RC bug until some better plan has been agreed on.

Comments welcome.


Cheers,
-- 
Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

Attachment: signature.asc
Description: PGP signature

Reply to: