Hi, Debian FTP Masters <ftpmas...@ftp-master.debian.org> (2020-03-07): > debootstrap (1.0.120) unstable; urgency=medium > . > * Check codename for apt-transport-https (Closes: #920255, #879755) > * Add security mirror setting (Closes: #939852, #543819)
I'm not sure the latter is reasonable. First off, debootstrap's goal is to build a basic Debian system. So making this mandatory all of a sudden instead of introducing an option that wouldn't be enabled by default doesn't strike me as a net win. Plus I'm not sure how that will play with apt-setup. Or with any other provisioning tool that either relies on or at least expects chroots to be basic ones, as they've always been. Anyway, looking at the implementation in: https://salsa.debian.org/installer-team/debootstrap/commit/517c9d09e89233bbc87f9c969a5d12ba94c024d8 + if [ "$enable_security_mirror" = true ]; then + chroot "$TARGET" /usr/bin/apt-get update + chroot "$TARGET" /usr/bin/apt-get -y upgrade + fi This will hang in case there's a prompt? + if [ "$suite" = oldstable ] || [ "$suite" = stable ] || [ "$suite" = testing ]; then + enable_security_mirror="true" + fi This will break at the beginning cycle since the security suite for the next release isn't created right away as far as I remember? + for c in ${COMPONENTS:-$USE_COMPONENTS}; do + local cs c path pkgdest + path="dists/$SECURITY_SUITE/$c/binary-$ARCH/Packages" + pkgdest="$TARGET/$($DLDEST pkg "$SECUIRTY_SUITE" "$c" "$ARCH" "$SECURITY_MIRROR" "$path")" + if [ -e "$pkgdest" ]; then cs="$cs $c"; fi + done I don't think this was tested? ($SECUIRTY_SUITE) Finally, looking at CI, runtime indeed doesn't look too good: E: The repository 'http://security.debian.org/debian-security buster/updates/updates Release' does not have a Release file. E: The repository 'http://security.debian.org/debian-security buster-updates/updates Release' does not have a Release file. autopkgtest [00:16:26]: test upgrade-all-security: -----------------------] autopkgtest [00:16:27]: test upgrade-all-security: - - - - - - - - - - results - - - - - - - - - - upgrade-all-security FAIL non-zero exit status 100 autopkgtest [00:16:27]: test upgrade-all-security: - - - - - - - - - - stderr - - - - - - - - - - E: The repository 'http://security.debian.org/debian-security buster/updates/updates Release' does not have a Release file. E: The repository 'http://security.debian.org/debian-security buster-updates/updates Release' does not have a Release file. (from <https://ci.debian.net/data/autopkgtest/testing/amd64/u/unattended-upgrades/4504830/log.gz>) All in all, I don't think we want that in the next alpha release, so I'll probably block debootstrap from migrating to testing (e.g. through release team side hints) but I'm wondering whether this would even warrant an RC bug until some better plan has been agreed on. Comments welcome. Cheers, -- Cyril Brulebois (k...@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
signature.asc
Description: PGP signature
