Bug#312350: marked as done (cdimage.debian.org: Release files on netinst/businesscard cds cause apt-config to try to get testing security sources)
Your message dated Mon, 13 Jun 2005 03:31:24 -0700
with message-id <20050613103124.GC6830@mauritius.dodds.net>
and subject line cdimage.debian.org: Release files on netinst/businesscard cds cause apt-config to try to get testing security sources
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 7 Jun 2005 15:53:11 +0000
>From debian-bugs@arrrrrr.com Tue Jun 07 08:53:10 2005
Return-path: <debian-bugs@arrrrrr.com>
Received: from medusa.thna.net [208.39.234.17]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1DfgO6-0004gX-00; Tue, 07 Jun 2005 08:53:10 -0700
Received: (qmail 21504 invoked by uid 4004); 7 Jun 2005 15:52:39 -0000
Received: from debian-bugs@arrrrrr.com by medusa.reno.12h by uid 4001 with qmail-scanner-1.15
(sweep: 2.18/3.79. Clear:.
Processed in 3.505136 secs); 07 Jun 2005 15:52:39 -0000
Received: from unknown (HELO localhost.localdomain) (root@192.168.0.78)
by medusa.reno.12h with SMTP; 7 Jun 2005 15:52:36 -0000
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Ryan Finnie <debian-bugs@arrrrrr.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cdimage.debian.org: Release files on netinst/businesscard cds cause
apt-config to try to get testing security sources
X-Mailer: reportbug 3.8
Date: Tue, 07 Jun 2005 08:44:00 -0700
X-Qmail-Scanner-Message-ID: <111815955650221495@medusa.reno.12h>
Message-Id: <[🔎] E1DfgO6-0004gX-00@spohr.debian.org>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: cdimage.debian.org
Severity: critical
Justification: root security hole
After grabing yesterday's i386 sarge businesscard CD (3.1r0) and
installing, during base-config, apt-config thinks the system is
"testing", and tries to insert use the following sources line:
# deb http://security.debian.org/ testing/updates main contrib
Since that fails (as currently there is no "testing" security
repository), the user is warned, and apt-setup comments out the line,
and continues on with no security updates. Right now this causes any
newly installed sarge installation to never grab security fixes without
manual intervention, but when
http://security.debian.org/dists/testing/updates eventually exists,
dist-upgrades will start to try to grab testing security updates for a
stable system.
After a little digging, the source of the problem seems to be the
Release files on the installation CD:
dists/sarge/main/binary-i386/Release:
Archive: testing
Component: main
Origin: Debian
Label: Debian
Architecture: i386
This manifests itself in "apt-cache policy", which apt-setup uses to
determine whether an installation is stable/testing/unstable. Heck,
even reportbug thinks the system is testing (see below). I have
reproduced this problem on i386 businesscard and netinst images (haven't
tried CD sets or other arches yet).
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
---------------------------------------
Received: (at 312350-done) by bugs.debian.org; 13 Jun 2005 10:31:25 +0000
>From vorlon@debian.org Mon Jun 13 03:31:25 2005
Return-path: <vorlon@debian.org>
Received: from dsl093-039-086.pdx1.dsl.speakeasy.net (mauritius.dodds.net) [66.93.39.86]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DhmE1-0001DN-00; Mon, 13 Jun 2005 03:31:25 -0700
Received: by mauritius.dodds.net (Postfix, from userid 1000)
id CDA5FA3247; Mon, 13 Jun 2005 03:31:24 -0700 (PDT)
Date: Mon, 13 Jun 2005 03:31:24 -0700
From: Steve Langasek <vorlon@debian.org>
To: 312350-done@bugs.debian.org
Subject: Re: cdimage.debian.org: Release files on netinst/businesscard cds cause apt-config to try to get testing security sources
Message-ID: <20050613103124.GC6830@mauritius.dodds.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="Md/poaVZ8hnGTzuv"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Delivered-To: 312350-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--Md/poaVZ8hnGTzuv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Thanks for reporting this, Ryan. This bug should be fixed with the 3.1r0a
CD images that were released late last week.
Thanks,
--=20
Steve Langasek
postmodern programmer
--Md/poaVZ8hnGTzuv
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCrWB8KN6ufymYLloRAthRAKDQhTj1f84sc1kxieB68KMO2BwJOwCgzskI
BlOW/k6k1aIqtvrR1ZrTEjw=
=+I20
-----END PGP SIGNATURE-----
--Md/poaVZ8hnGTzuv--
Reply to: