Re: Re: [SECURITY] [DSA 4371-1] apt security update
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, 2019-01-24 at 23:37 +0100, Edgar Remmel wrote:
> Thanks a lot Yves-Alexis for reply and advice!
> > Also it's likely that
> > you need to ask this to Raspbian, not Debian.
> Please give me a 2.nd try in this list. If it will become obviosly to be
> a problem of Raspbian I will change to them.
It's not a Raspbian “problem”, but yes, you're using Raspbian packages and
mirrors, not Debian's.
> But by sudo "apt -o Acquire::http::AllowRedirect=false upgrade"
> I always got the following error messages after my confirm to install:
> Err:1 http://raspbian.raspberrypi.org/raspbian stretch/main armhf
> libapt-pkg5.0 armhf 1.4.9
> 302 Found [IP: 18.104.22.168 80]
Yes, 302 is HTTP redirect code, and you asked to refuse redirects (in order to
prevent exploitation by an attacker). That's why it fails.
> Besides according to your recommendation I tried this too:
> deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main
> in /etc/apt/sources.list.
That's actually a bad idea I think. Raspbian rebuilds packages for a different
architecture: raspbian armhf is not Debian armhf, so it's not guaranteed to
work on any raspberry pi. Also don't try to upgrade using packages downloaded
from Debian, you really need to go to Raspbian for that.
> But running an update command an error showed up that the key doesn't
> match, so this failed too.
> So please let me know - what is your conclusion?
> It's a question for Raspbian - and I should ask there now?
Yes, please contact them. I'm unsure if they published an advisory or
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----