Package: release-notes Hi, I just sent this message to the security team, the release notes need adapting. Paul -------- Forwarded Message -------- Subject: security archive layout change warrants announcement Date: Tue, 10 Aug 2021 07:44:07 +0200 From: Paul Gevers <elbrus@debian.org> To: Debian Security Team <team@security.debian.org> Hi security team, I don't know if you already planned on an announcement after the bullseye release about the security archive layout change, but below I urge you to think about it. Yesterday I noticed that the layout change of the security impacts more than just the apt *sources* as my system wasn't updating perl, libencode-perl and exiv2. I already enabled the new security archive layout a long time ago (and apt will complain when the sources are not found). I discussed the issue on IRC on #d-release with juliank (apt upstream). What users *need* to be aware of is that apt pinning (pabs told me) and APT::Default-Release (found myself) may need adjustments too, otherwise security updates are not installed. I'm working on text for the release notes, but I fear a lot of users will not be reading those and when they upgrade their secure buster systems and only fix their apt sources, depending on how they configure their system to follow bullseye, they may easily miss out on security updates. I therefore recommend you to send out an security announcement too after the bullseye release (or whatever you feel is most appropriate) explaining the layout change and the configuration impact. Paul PS: yesterday I learned that APT::Default-Release also supports "POSIX fnmatch patterns or regular expressions inside /" On suggestion by juliank I now have this APT::Default-Release myself (which worked for me): APT::Default-Release "/^bullseye(|-security|-upgrades)$/";
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature