Re: Local mirror as way to mitigate bug #718225
Yes, until this gets resolved, using a local mirror is a perfectly
sound mitigation.
You'll see in that bug report that I put together a solution back in
2015, but it was never merged. I've been contributing a lot of work to
live-build in recent weeks as you may be aware, and rebasing and
tweaking that 718225 solution is part of the work I'm doing. I'm
currently waiting upon a lot of work already submitted to be reviewed
and merged before I get to that though, and there's no guarantee that
my solution for 718225 will actually be accepted.
This solution of mine is actually how I've been getting by for the time
being. I would publish a branch with it for you to use, but it's just
simply in no fit state for that currently.
So a local mirror is the way to go. Unfortunately I have no actual
experience of that so I cannot guide you much myself.
I seem to recall from looking at it a long time ago that essentially
you use the same tool as used to create an actual public mirror of the
entire package archive, which involves it downloading a copy of the
entire archive of course, which would then be made available via
ftp/http and added to the list of official mirrors, along with setting
it up for updates. You would not want to do the latter things, and
would not want a copy of the entire archive, just the portion for your
particular architecture of interest. Hopefully you can limit the
copying as such. Unfortunately I do not expect that you can limit the
copying further than to a particular architecture, and it is not
feasible to get a specific list of files to copy anyway.
As for live-build using it, you just use the mirror options to point to
the local mirror (like file:///<dir> if on your local computer) and
packages and other files will simply be retrieved from it.
Note that the debian-installer specific mirror option is only used to
get some of the installer related files, others are obtained from the
chroot mirror, so you cannot just try to obtain a copy of installer
stuff only in your local mirror.
Note that the 'daily' version of the debian installer is obtained from
elsewhere (d-i specific URL), and (last time I checked) there are no
signatire file with which to perform verification, so you should avoid
it and use the distribution (e.g. buster) specific one obtained from
the archive as with other packages and files.
Alternatively to using a local mirror, you could use a HTTPS mirror, if
you're comfortable with HTTPS protection only for d-i stuff (no
verification).
On Mon, 2020-04-20 at 20:26 +0000, dbgr wrote:
> Hello.
>
> I am using the live-build version 20191221 (the one in testing) on a
> debian stable/buster system to build an live image with and
> integrated
> debian installer cdrom (with the '--debian-installer live'
> flag/option)
> with no problems, but I stumbled upon this bug ->
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718225 and was
> wondering if setting a local mirror would suffice to mitigate it...
>
> If it is, can anyone guided me in the process of setting the
> aforementioned mirror? Which files should I download and made
> available
> and how? And how I could made live-build aware of the mirror and
> download the files it need correctly?
>
> Thank you.
>
Reply to: