Re: Compatibility of security mirror

To: Lee Winter <lee.j.i.winter@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: Compatibility of security mirror
From: Goswin von Brederlow <goswin-v-b@web.de>
Date: Wed, 16 Sep 2009 09:45:39 +0200
Message-id: <[🔎] 878wgf8h98.fsf@frosties.localdomain>
In-reply-to: <[🔎] cf1144010909150911s55ecf1bdr3a2fc9105ff377c4@mail.gmail.com> (Lee Winter's message of "Tue, 15 Sep 2009 12:11:03 -0400")
References: <[🔎] cf1144010909150911s55ecf1bdr3a2fc9105ff377c4@mail.gmail.com>

Lee Winter <lee.j.i.winter@gmail.com> writes:

> The security mirror at security.debian.org appears to have a structure
> that is compatible with the main debian mirrors.  If that appearance
> is an accurate reflection of reality then the updates/main/* tree
> should be compatible with the main/* tree.  I use the term compatible
> to mean that a local mirror could be composed of the main archive plus
> the security updates and thus require a single entry in the client
> machine's sources.list file.
>
> Is that appearance accurate?  Can security update be stored in the
> same directory tree and accessed by clients transparently?  If so, is
> it possible to merge the updates/* folders into the main repository or
> do they need to remain underneath updates/ ?
>
> Thanks for any info or suggestions,
>
> Lee Winter
> NP Engineering
> Nashua, New Hampshire

Yes and no.

You can easily use reprepro to fetch packages from both ftp.debian.org
and security.debian.org and combine them into a single apt
repository. That works reasonably well with the exception of screwups
where different builds of the same source are uploaded to security and
stable-proposed-updates. This has happened a few times in the past and
can need a one time manual intervention in reprepro.

This has one minor drawback though: The combined apt repository will
be unsigned (you do not want to do that) or signed by a local
key. This has 2 effects:

  1) You need to "apt-key add" your local key on every client (or
     build a keyring deb and install that).
  2) The Debian-Installer will not work from the local mirror.
     You need to do the initial install from an official mirror or use
     a netinst or full CD1/DVD1 image. Netboot and business card
     images will not work.

You can not create 1:1 mirrors of ftp.debian.org and
security.debian.org in the same place because the Release and
Release.gpg files overlap. If you need a true mirror then you need to
keep them seperate and have 2 lines in sources.list.

MfG
        Goswin

PS: reprepro can also trivially handle locally compiled debs, e.g. in
a local/ section.

Reply to:

Follow-Ups:
- Re: Compatibility of security mirror
  - From: Lee Winter <lee.j.i.winter@gmail.com>

References:
- Compatibility of security mirror
  - From: Lee Winter <lee.j.i.winter@gmail.com>

Prev by Date: Re: signatures for debs installed manually
Next by Date: Re: Compatibility of security mirror
Previous by thread: Compatibility of security mirror
Next by thread: Re: Compatibility of security mirror
Index(es):
- Date
- Thread