Bug#1012174: Inconsistent advice wrt security archive

[Brian Potkin <claremont102@gmail.com>]

On Tue 31 May 2022 at 14:58:00 +0200, Julien Cristau wrote:

> On Tue, May 31, 2022 at 02:26:39PM +0200, David Prévot wrote:
> > Package: www.debian.org,release-notes
> > Severity: normal
> > X-Debbugs-Cc: team@security.debian.org
> > 
> > Hi teams,
> > 
> > The [errata] advises one to use 
> > 
> >   deb http://security.debian.org/debian-security bullseye-security main contrib non-free
> > 
> > while the [release-notes] advises
> > 
> >   deb https://deb.debian.org/debian-security bullseye-security main contrib
> > 
> > Even if both will have the same result (the last time a non-free package
> > was uploaded to the security archive may have been during Etch), having
> > two different official advice makes it difficult in some situation
> > (“what should we actually use?”). Is the use of HTTPS via deb.d.o
> > preferable over HTTP via security.d.o? If so maybe the errata should be
> > updated, if it’s the other way around, the realease-notes should be
> > updated.
> > 
> >   errata: https://www.debian.org/releases/stable/errata#security
> >   release-notes: https://www.debian.org/releases/stable/amd64/release-notes/ch-information#security-archive
> > 
> The release-notes version is preferred, as far as scheme and hostname.

There appears to be a consensus in favour of https. For example:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992692#37

Regards,

Brian.