[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [lmi] No security updates yet for debian 'bullseye'
From: |
Vadim Zeitlin |
Subject: |
Re: [lmi] No security updates yet for debian 'bullseye' |
Date: |
Sat, 28 Sep 2019 23:40:42 +0200 |
On Sat, 28 Sep 2019 20:50:13 +0000 Greg Chicares <address@hidden> wrote:
GC> On 2019-09-28 12:33, Vadim Zeitlin wrote:
GC> [...]
GC> > You should, of course, enable security updates even for "testing". The
GC> > reason for the error is that you need to use "bullseye-testing" instead of
GC> > just "bullseye" for it (for reasons I'd have trouble to explain, other
than
GC> > saying that "it was always like this"), i.e. the full line should be
GC>
GC> [TL;DR: s/https/http/ (surprising though that may seem for "security")]
Oops, sorry for posting without testing. I do use HTTP myself, but I was
so sure it was an oversight and that it should be HTTPS by now that I
corrected it in my post without thinking.
FWIW there is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802539 for
this, but it has seen no activity since several years, which is rather
surprising. It would also possible to use HTTPS by disabling host
verification in the apt options and/or adding the server certificate to the
system trusted certificates list (which would be preferable), but I'm not
sure if it's worth doing it -- after all, Debian packages are signed, so
using HTTP doesn't compromise the integrity. It does compromise the
confidentiality, of course, but I don't think we really care that much
about any TLAs knowing which Debian packages exactly do we download.
Regards,
VZ
pgplBUBvOzg36.pgp
Description: PGP signature