On 14/02/2016 12:49 AM, Christian Seiler wrote: > On 02/13/2016 12:12 PM, Brendan Simon wrote: >> Is there a way to restrict apt to a **specific release** of Jessie. >> e.g. 8.1, 8.2, 8.3, ... ?? >> >> I build root filesystems for embedded systems. The sources.list is set >> to Jessie, but the contents of the generated rootfs can change from one >> day to the next if there have been updates. I want to lock into a >> specific release and be sure that the packages wont change if I build >> now and 6 or 12 months later. >> >> What's the best way to do this? > If you *really*, *really* want to do that against better judgment, > you can use the http://snapshot.debian.org/ service. See the > instructions there, just pick the current date. And realize that > you are using old versions of software with potential security > problems. (Even worse, since at least for me snapshot.d.o doesn't > support https, and you have to disable Valid-Until in APT to make > it work, an attacker in your network with man-in-the-middle > capabilities could serve you versions of Jessie that are even > older than the ones you want, which have more security problems > and you wouldn't really notice it, especially if you automate your > process.) > > Regards, > Christian
Thanks Christian. I've had a quick look at snapshot.debian.org and it might be worth considering. The thing is when you are deploying something to lots of sites (e.g. an embedded data logger in many remote locations), it's important to know exactly what versions you have created and installed, and more importantly be able to rebuild the exact same system sometime down the track. e.g. 6-12 months later, when bug is reported and you need to be able to replicate the build and make changes based on that build. Often a patch release will be deployed based on the a build from that point in time, so as to not introduce any "new features" or unknown changes in behaviour. Specifying a date in the apt sources.list may achieve that, but locking in the versions to that date or earlier. Subsequent security release based updates can be achieved by updating the date at a controlled time, doing a build, testing thoroughly and then releasing. Does apt not use keyrings or some kind of certificates for authenticating versions? Thanks, Brendan.
