Yes, until this gets resolved, using a local mirror is a perfectly sound mitigation.
You'll see in that bug report that I put together a solution back in 2015, but it was never merged. I've been contributing a lot of work to live-build in recent weeks as you may be aware, and rebasing and tweaking that 718225 solution is part of the work I'm doing. I'm currently waiting upon a lot of work already submitted to be reviewed and merged before I get to that though, and there's no guarantee that my solution for 718225 will actually be accepted. This solution of mine is actually how I've been getting by for the time being. I would publish a branch with it for you to use, but it's just simply in no fit state for that currently. So a local mirror is the way to go. Unfortunately I have no actual experience of that so I cannot guide you much myself. I seem to recall from looking at it a long time ago that essentially you use the same tool as used to create an actual public mirror of the entire package archive, which involves it downloading a copy of the entire archive of course, which would then be made available via ftp/http and added to the list of official mirrors, along with setting it up for updates. You would not want to do the latter things, and would not want a copy of the entire archive, just the portion for your particular architecture of interest. Hopefully you can limit the copying as such. Unfortunately I do not expect that you can limit the copying further than to a particular architecture, and it is not feasible to get a specific list of files to copy anyway. As for live-build using it, you just use the mirror options to point to the local mirror (like file:///<dir> if on your local computer) and packages and other files will simply be retrieved from it. Note that the debian-installer specific mirror option is only used to get some of the installer related files, others are obtained from the chroot mirror, so you cannot just try to obtain a copy of installer stuff only in your local mirror. Note that the 'daily' version of the debian installer is obtained from elsewhere (d-i specific URL), and (last time I checked) there are no signatire file with which to perform verification, so you should avoid it and use the distribution (e.g. buster) specific one obtained from the archive as with other packages and files. Alternatively to using a local mirror, you could use a HTTPS mirror, if you're comfortable with HTTPS protection only for d-i stuff (no verification). On Mon, 2020-04-20 at 20:26 +0000, dbgr wrote: > Hello. > > I am using the live-build version 20191221 (the one in testing) on a > debian stable/buster system to build an live image with and > integrated > debian installer cdrom (with the '--debian-installer live' > flag/option) > with no problems, but I stumbled upon this bug -> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718225 and was > wondering if setting a local mirror would suffice to mitigate it... > > If it is, can anyone guided me in the process of setting the > aforementioned mirror? Which files should I download and made > available > and how? And how I could made live-build aware of the mirror and > download the files it need correctly? > > Thank you. >
