Bug#972744: openstack-debian-images: bullseye: /updates -> -security

Thu, 22 Oct 2020 21:45:35 -0700 

Package: openstack-debian-images
Version: 1.47
Severity: serious
File: /usr/sbin/build-openstack-debian-image
User: [email protected]
Usertags: bullseye-security

With the release of Debian bullseye and later, security updates are
provided in the bullseye-security suite instead of bullseye/updates.

The above script references ${RELEASE}/updates but when bullseye is
released that should be replaced by ${RELEASE}-security so it looks
like the script would generate an incorrect sources.list using /updates
instead of -security which would cause the target system to not get
security updates from bullseye in a timely manner, which could be
problematic for openstack images since IIRC those have automatic
security updates enabled and so no human will notice this issue.

I suggest that this script check the version of the Debian release in
question using distro-info and then if the release is 11 or higher,
then use $release-security otherwise use $release/updates as before.

It is much better to use distro-info than to hard-code the release
version numbers. It might even be a good idea to include the security
suite information in distro-info itself and look it up there.

   $ grep -B3 -A2 /updates /usr/sbin/build-openstack-debian-image
   if [ "${RELEASE}" != "sid" ] && [ "${RELEASE}" != "unstable" ] ; then
        echo "deb ${SOURCE_LIST_MIRROR} ${RELEASE}-updates main${NON_FREE}
   deb-src ${SOURCE_LIST_MIRROR} ${RELEASE}-updates main${NON_FREE}
   deb ${SECURITY_MIRROR_URL} ${RELEASE}/updates main${NON_FREE}
   deb-src ${SECURITY_MIRROR_URL} ${RELEASE}/updates main${NON_FREE}
   " >>${MOUNT_DIR}/etc/apt/sources.list
   fi

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-debug
  APT policy: (900, 'testing-debug'), (900, 'testing'), (800, 
'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 
'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.9.0-1-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to