Re: sources.list 's security line

To: debian-user@lists.debian.org
Subject: Re: sources.list 's security line
From: Greg Wooledge <greg@wooledge.org>
Date: Mon, 6 Sep 2021 08:34:44 -0400
Message-id: <[🔎] YTYK5FJ5UrHmSc2x@wooledge.org>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 06092021114046.ff21bc0cb2ca@desktop.copernicus.org.uk>
References: <[🔎] CAD8U+g9Q+P1z8B2+07hEL7owvLNSM7DnbJhqt5ypgTrKUQ6veQ@mail.gmail.com> <[🔎] 06092021114046.ff21bc0cb2ca@desktop.copernicus.org.uk>

On Mon, Sep 06, 2021 at 11:42:52AM +0100, Brian wrote:
> On Mon 06 Sep 2021 at 06:53:25 -0300, riveravaldez wrote:
> > after reading the various sources of documentation (handbook,
> > wiki, FAQs, Release Notes, etc.) I think I'm finding myself with
> > kinda four options for the security line in /etc/apt/sources.list
> > Those being:
> > 
> > deb http://security.debian.org/debian-security bullseye-security main
> > 
> > deb http://security.debian.org bullseye-security main
> > 
> > deb https://deb.debian.org/debian-security bullseye-security main
> > 
> > deb http://security.debian.org testing/updates main
> 
> The first and the third are legitimate lines. I am unsure about the
> other two, particulary the last one.

The fourth one is definitely wrong, because the repository changed
from foo/updates to foo-security during the bullseye release cycle.

The second one *appears* to work, or at least, I get something that
doesn't look totally wrong when I paste http://security.debian.org
and bullseye-security into a browser's URL bar, and then put /dists/
in between them.

But that doesn't make it a good idea to use the second one, because
who knows whether it will continue working into the future.

Also, there's the wee little fact that testing is no longer a synonym
for bullseye, and therefore even if the fourth one *did* work, it
wouldn't be equivalent to the other three.

So, that really leaves us with two:

  deb http://security.debian.org/debian-security bullseye-security main

  deb https://deb.debian.org/debian-security bullseye-security main

The difference between these two is which mirror network (and really,
which mirroring *paradigm*) is used.  The first one uses a DNS round
robin that points to a rather limited set of servers, easily overloaded
when there's a huge security update (e.g. a kernel).

The other one uses the deb.debian.org infrastructure with its fancy DNS
SRV records and so on.  See <http://deb.debian.org/> for details.

I'm not sure when debian-security got added to the deb.debian.org
infrastructure; it's pretty new, I think.  Thus, a lot of people may
not even know that it's an option.

Reply to:

Follow-Ups:
- Re: sources.list 's security line
  - From: Brian <ad44@cityscape.co.uk>
- Re: sources.list 's security line
  - From: Brian <ad44@cityscape.co.uk>

References:
- sources.list 's security line
  - From: riveravaldez <riveravaldezmail@gmail.com>
- Re: sources.list 's security line
  - From: Brian <ad44@cityscape.co.uk>

Prev by Date: Re: sources.list 's security line
Next by Date: Re: sources.list 's security line
Previous by thread: Re: sources.list 's security line
Next by thread: Re: sources.list 's security line
Index(es):
- Date
- Thread