Bug#1012174: Inconsistent advice wrt security archive
On Tue, May 31, 2022 at 02:26:39PM +0200, David Prévot wrote:
> Package: www.debian.org,release-notes
> Severity: normal
> X-Debbugs-Cc: team@security.debian.org
>
> Hi teams,
>
> The [errata] advises one to use
>
> deb http://security.debian.org/debian-security bullseye-security main contrib non-free
>
> while the [release-notes] advises
>
> deb https://deb.debian.org/debian-security bullseye-security main contrib
>
> Even if both will have the same result (the last time a non-free package
> was uploaded to the security archive may have been during Etch), having
> two different official advice makes it difficult in some situation
> (“what should we actually use?”). Is the use of HTTPS via deb.d.o
> preferable over HTTP via security.d.o? If so maybe the errata should be
> updated, if it’s the other way around, the realease-notes should be
> updated.
>
> errata: https://www.debian.org/releases/stable/errata#security
> release-notes: https://www.debian.org/releases/stable/amd64/release-notes/ch-information#security-archive
>
The release-notes version is preferred, as far as scheme and hostname.
I don't have a particular opinion (and definitely not an authoritative
one) on listing non-free, but there's precedent of shipping
intel-microcode updates via the security archive, much more recently
than etch.
Cheers,
Julien
Reply to: