Bug#1012174: Inconsistent advice wrt security archive
On Tue 31 May 2022 at 14:58:00 +0200, Julien Cristau wrote:
> On Tue, May 31, 2022 at 02:26:39PM +0200, David Prévot wrote:
> > Package: www.debian.org,release-notes
> > Severity: normal
> > X-Debbugs-Cc: team@security.debian.org
> >
> > Hi teams,
> >
> > The [errata] advises one to use
> >
> > deb http://security.debian.org/debian-security bullseye-security main contrib non-free
> >
> > while the [release-notes] advises
> >
> > deb https://deb.debian.org/debian-security bullseye-security main contrib
> >
> > Even if both will have the same result (the last time a non-free package
> > was uploaded to the security archive may have been during Etch), having
> > two different official advice makes it difficult in some situation
> > (“what should we actually use?”). Is the use of HTTPS via deb.d.o
> > preferable over HTTP via security.d.o? If so maybe the errata should be
> > updated, if it’s the other way around, the realease-notes should be
> > updated.
> >
> > errata: https://www.debian.org/releases/stable/errata#security
> > release-notes: https://www.debian.org/releases/stable/amd64/release-notes/ch-information#security-archive
> >
> The release-notes version is preferred, as far as scheme and hostname.
There appears to be a consensus in favour of https. For example:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992692#37
Regards,
Brian.
Reply to: