On Tue, May 31, 2022 at 02:26:39PM +0200, David Prévot wrote: > Package: www.debian.org,release-notes > Severity: normal > X-Debbugs-Cc: t...@security.debian.org > > Hi teams, > > The [errata] advises one to use > > deb http://security.debian.org/debian-security bullseye-security main > contrib non-free > > while the [release-notes] advises > > deb https://deb.debian.org/debian-security bullseye-security main contrib > > Even if both will have the same result (the last time a non-free package > was uploaded to the security archive may have been during Etch), having > two different official advice makes it difficult in some situation > (“what should we actually use?”). Is the use of HTTPS via deb.d.o > preferable over HTTP via security.d.o? If so maybe the errata should be > updated, if it’s the other way around, the realease-notes should be > updated. > > errata: https://www.debian.org/releases/stable/errata#security > release-notes: > https://www.debian.org/releases/stable/amd64/release-notes/ch-information#security-archive > The release-notes version is preferred, as far as scheme and hostname.
I don't have a particular opinion (and definitely not an authoritative one) on listing non-free, but there's precedent of shipping intel-microcode updates via the security archive, much more recently than etch. Cheers, Julien
