[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#312350: cdimage.debian.org: Release files on netinst/businesscard cds cause apt-config to try to get testing security sources

Package: cdimage.debian.org
Severity: critical
Justification: root security hole

After grabing yesterday's i386 sarge businesscard CD (3.1r0) and
installing, during base-config, apt-config thinks the system is
"testing", and tries to insert use the following sources line:

# deb http://security.debian.org/ testing/updates main contrib

Since that fails (as currently there is no "testing" security
repository), the user is warned, and apt-setup comments out the line,
and continues on with no security updates.  Right now this causes any
newly installed sarge installation to never grab security fixes without
manual intervention, but when
http://security.debian.org/dists/testing/updates eventually exists,
dist-upgrades will start to try to grab testing security updates for a
stable system.

After a little digging, the source of the problem seems to be the
Release files on the installation CD:

  Archive: testing
  Component: main
  Origin: Debian
  Label: Debian
  Architecture: i386

This manifests itself in "apt-cache policy", which apt-setup uses to
determine whether an installation is stable/testing/unstable.  Heck,
even reportbug thinks the system is testing (see below).  I have
reproduced this problem on i386 businesscard and netinst images (haven't
tried CD sets or other arches yet).

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Reply to: