Brian wrote: >On Sat 03 Nov 2018 at 12:29:15 -0700, David Christensen wrote: >> On 11/3/18 8:35 AM, Brian wrote: >> > On Fri 02 Nov 2018 at 20:01:59 -0700, David Christensen wrote: >> > >> > > On 11/2/18 5:17 PM, Steve McIntyre wrote: >> > >> > > My intent was to install just what was on the CD onto a machine in my >> > > LAN. >> > > I was unaware that d-i connected to the Internet when I told it not to >> > > use a >> > > mirror. As security.debian.org is not a mirror in the usual sense, >> > > perhaps >> > > this kinda sorta makes sense to the Debian developers. For me, it >> > > violates >> > > KISS and the Principle of Least Surprise. I think the d-i needs to be >> > > more >> > > clear about if/ when it intends to connect to the Internet, and obtain >> > > explicit user approval. Which package do I file a bug report against? >> > >> > You gave it explicit approval when you configured the network. >> >> I gave the d-i explicit approval to connect to my LAN. This is not the same >> as approval to connect to the Internet. > >At what point in the installation did you do this? A network is a network.
And it's clearly not obvious to all users that security.d.o will be automatically added just because the new installation can see a network. It makes sense from a security POV, but... >> So, I file a bug report against d-i? > >For what? Connecting to other machines? > >> > > I view the fact that the d-i couldn't obtain a security update package >> > > to be >> > > a defect in the Debian security package distribution chain. If 'apt-get >> > > update' finds that a security update package is available and the d-i >> > > wants >> > > to install that package, then 'apt-get update' must be able to download >> > > that >> > > package. Which package do I file a bug report against? >> > >> > There is no defect in the security package distribution chain. mutt is >> > not part of the Xfce or standard utilities tasks. The installer had no >> > business attempting to install it. >> >> So, I file a bug report against d-i? > >Not in my opinion. Not against d-i, no. As I just wrote elsewhere, it looks like a bug in the security.d.o infrastructure. I'm chasing that now. -- Steve McIntyre, Cambridge, UK. st...@einval.com "Further comment on how I feel about IBM will appear once I've worked out whether they're being malicious or incompetent. Capital letters are forecast." Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html
