Re: sources.list 's security line
On Mon 06 Sep 2021 at 08:34:44 -0400, Greg Wooledge wrote:
> On Mon, Sep 06, 2021 at 11:42:52AM +0100, Brian wrote:
> > On Mon 06 Sep 2021 at 06:53:25 -0300, riveravaldez wrote:
> > > after reading the various sources of documentation (handbook,
> > > wiki, FAQs, Release Notes, etc.) I think I'm finding myself with
> > > kinda four options for the security line in /etc/apt/sources.list
> > > Those being:
> > >
> > > deb http://security.debian.org/debian-security bullseye-security main
> > >
> > > deb http://security.debian.org bullseye-security main
> > >
> > > deb https://deb.debian.org/debian-security bullseye-security main
> > >
> > > deb http://security.debian.org testing/updates main
> >
> > The first and the third are legitimate lines. I am unsure about the
> > other two, particulary the last one.
>
> The fourth one is definitely wrong, because the repository changed
> from foo/updates to foo-security during the bullseye release cycle.
>
> The second one *appears* to work, or at least, I get something that
> doesn't look totally wrong when I paste http://security.debian.org
> and bullseye-security into a browser's URL bar, and then put /dists/
> in between them.
>
> But that doesn't make it a good idea to use the second one, because
> who knows whether it will continue working into the future.
It is always a good idea to go with the flow in cases like this.
> Also, there's the wee little fact that testing is no longer a synonym
> for bullseye, and therefore even if the fourth one *did* work, it
> wouldn't be equivalent to the other three.
>
> So, that really leaves us with two:
>
> deb http://security.debian.org/debian-security bullseye-security main
>
> deb https://deb.debian.org/debian-security bullseye-security main
>
> The difference between these two is which mirror network (and really,
> which mirroring *paradigm*) is used. The first one uses a DNS round
> robin that points to a rather limited set of servers, easily overloaded
> when there's a huge security update (e.g. a kernel).
>
> The other one uses the deb.debian.org infrastructure with its fancy DNS
> SRV records and so on. See <http://deb.debian.org/> for details.
>
> I'm not sure when debian-security got added to the deb.debian.org
> infrastructure; it's pretty new, I think. Thus, a lot of people may
> not even know that it's an option.
I have
deb http://deb.debian.org/debian-security bullseye-security main
but acknowledge that the Release Notes for bullseye has
deb https://deb.debian.org/debian-security bullseye-security main
IMO, either is suitable, but there is an opinion that the second is to
be preferred because many users expect to be given https transport to
use.
--
Brian.
Reply to: