Re: Compatibility of security mirror
On Wed, Sep 16, 2009 at 3:45 AM, Goswin von Brederlow <goswin-v-b@web.de> wrote:
> Lee Winter <lee.j.i.winter@gmail.com> writes:
>
>> The security mirror at security.debian.org appears to have a structure
>> that is compatible with the main debian mirrors. If that appearance
>> is an accurate reflection of reality then the updates/main/* tree
>> should be compatible with the main/* tree. I use the term compatible
>> to mean that a local mirror could be composed of the main archive plus
>> the security updates and thus require a single entry in the client
>> machine's sources.list file.
>>
>> Is that appearance accurate? Can security update be stored in the
>> same directory tree and accessed by clients transparently? If so, is
>> it possible to merge the updates/* folders into the main repository or
>> do they need to remain underneath updates/ ?
>
> Yes and no.
>
> You can easily use reprepro to fetch packages from both ftp.debian.org
> and security.debian.org and combine them into a single apt
> repository. That works reasonably well with the exception of screwups
> where different builds of the same source are uploaded to security and
> stable-proposed-updates. This has happened a few times in the past and
> can need a one time manual intervention in reprepro.
I'm using the updated debmirror, but the same issues would arise.
>
> This has one minor drawback though: The combined apt repository will
> be unsigned (you do not want to do that) or signed by a local
> key.
Why is that? If there are no file collissions such as described
above, then it should be possible to have two logical repositories in
one file structure. The issue is not how to integrate the
repositories. The issue is how to simplify the sources.list files on
the client systems. Right now the client's need three entries for
lenny, security, and volatile as if they came from separate mirrors.
I would like to keep the repositories independent but have one
"debian" section in sources.list. Is that not possible?
> This has 2 effects:
>
> 1) You need to "apt-key add" your local key on every client (or
> build a keyring deb and install that).
> 2) The Debian-Installer will not work from the local mirror.
> You need to do the initial install from an official mirror or use
> a netinst or full CD1/DVD1 image. Netboot and business card
> images will not work.
This is a key issue for me because installs happen here often. The
updated debmirror is supposed to accomplish that and it appears to be
getting the installer files into the mirror, but I have not yet gotten
it to work during an actual install (work in progress).
>
> You can not create 1:1 mirrors of ftp.debian.org and
> security.debian.org in the same place because the Release and
> Release.gpg files overlap.
Where? AFAICT all of the paths are different. E.g,, security inserts
"updates" so that "dists/stable/main" becomes
"dists/stable/updates/main". Same for pool. And volatile does the
same thing.
> If you need a true mirror then you need to
> keep them seperate and have 2 lines in sources.list.
OK, I can do that. I just want a simple-minded file structure.
Thanks for the help.
-- Lee
Reply to: