Re: sources.list 's security line

To: debian-user@lists.debian.org
Subject: Re: sources.list 's security line
From: Brian <ad44@cityscape.co.uk>
Date: Mon, 6 Sep 2021 14:13:34 +0100
Message-id: <[🔎] 06092021140251.be30a431f4e0@desktop.copernicus.org.uk>
In-reply-to: <[🔎] YTYK5FJ5UrHmSc2x@wooledge.org>
References: <[🔎] CAD8U+g9Q+P1z8B2+07hEL7owvLNSM7DnbJhqt5ypgTrKUQ6veQ@mail.gmail.com> <[🔎] 06092021114046.ff21bc0cb2ca@desktop.copernicus.org.uk> <[🔎] YTYK5FJ5UrHmSc2x@wooledge.org>

On Mon 06 Sep 2021 at 08:34:44 -0400, Greg Wooledge wrote:

> On Mon, Sep 06, 2021 at 11:42:52AM +0100, Brian wrote:
> > On Mon 06 Sep 2021 at 06:53:25 -0300, riveravaldez wrote:
> > > after reading the various sources of documentation (handbook,
> > > wiki, FAQs, Release Notes, etc.) I think I'm finding myself with
> > > kinda four options for the security line in /etc/apt/sources.list
> > > Those being:
> > > 
> > > deb http://security.debian.org/debian-security bullseye-security main
> > > 
> > > deb http://security.debian.org bullseye-security main
> > > 
> > > deb https://deb.debian.org/debian-security bullseye-security main
> > > 
> > > deb http://security.debian.org testing/updates main
> > 
> > The first and the third are legitimate lines. I am unsure about the
> > other two, particulary the last one.
> 
> The fourth one is definitely wrong, because the repository changed
> from foo/updates to foo-security during the bullseye release cycle.
> 
> The second one *appears* to work, or at least, I get something that
> doesn't look totally wrong when I paste http://security.debian.org
> and bullseye-security into a browser's URL bar, and then put /dists/
> in between them.
> 
> But that doesn't make it a good idea to use the second one, because
> who knows whether it will continue working into the future.

It is always a good idea to go with the flow in cases like this.
 
> Also, there's the wee little fact that testing is no longer a synonym
> for bullseye, and therefore even if the fourth one *did* work, it
> wouldn't be equivalent to the other three.
> 
> So, that really leaves us with two:
> 
>   deb http://security.debian.org/debian-security bullseye-security main
> 
>   deb https://deb.debian.org/debian-security bullseye-security main
> 
> The difference between these two is which mirror network (and really,
> which mirroring *paradigm*) is used.  The first one uses a DNS round
> robin that points to a rather limited set of servers, easily overloaded
> when there's a huge security update (e.g. a kernel).
> 
> The other one uses the deb.debian.org infrastructure with its fancy DNS
> SRV records and so on.  See <http://deb.debian.org/> for details.
> 
> I'm not sure when debian-security got added to the deb.debian.org
> infrastructure; it's pretty new, I think.  Thus, a lot of people may
> not even know that it's an option.

I have

  deb http://deb.debian.org/debian-security bullseye-security main

but acknowledge that the Release Notes for bullseye has

  deb https://deb.debian.org/debian-security bullseye-security main

IMO, either is suitable, but there is an opinion that the second is to
be preferred because many users expect to be given https transport to
use.

-- 
Brian.

Reply to:

References:
- sources.list 's security line
  - From: riveravaldez <riveravaldezmail@gmail.com>
- Re: sources.list 's security line
  - From: Brian <ad44@cityscape.co.uk>
- Re: sources.list 's security line
  - From: Greg Wooledge <greg@wooledge.org>

Prev by Date: Re: sources.list 's security line
Next by Date: Re: Trouble upgrading Debian (reply to David Wright)
Previous by thread: Re: sources.list 's security line
Next by thread: Re: sources.list 's security line
Index(es):
- Date
- Thread