Package: cdimage.debian.org Severity: critical Justification: root security hole
After grabing yesterday's i386 sarge businesscard CD (3.1r0) and installing, during base-config, apt-config thinks the system is "testing", and tries to insert use the following sources line: # deb http://security.debian.org/ testing/updates main contrib Since that fails (as currently there is no "testing" security repository), the user is warned, and apt-setup comments out the line, and continues on with no security updates. Right now this causes any newly installed sarge installation to never grab security fixes without manual intervention, but when http://security.debian.org/dists/testing/updates eventually exists, dist-upgrades will start to try to grab testing security updates for a stable system. After a little digging, the source of the problem seems to be the Release files on the installation CD: dists/sarge/main/binary-i386/Release: Archive: testing Component: main Origin: Debian Label: Debian Architecture: i386 This manifests itself in "apt-cache policy", which apt-setup uses to determine whether an installation is stable/testing/unstable. Heck, even reportbug thinks the system is testing (see below). I have reproduced this problem on i386 businesscard and netinst images (haven't tried CD sets or other arches yet). -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.8-2-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]