On Mon, Sep 06, 2021 at 11:42:52AM +0100, Brian wrote: > On Mon 06 Sep 2021 at 06:53:25 -0300, riveravaldez wrote: > > after reading the various sources of documentation (handbook, > > wiki, FAQs, Release Notes, etc.) I think I'm finding myself with > > kinda four options for the security line in /etc/apt/sources.list > > Those being: > > > > deb http://security.debian.org/debian-security bullseye-security main > > > > deb http://security.debian.org bullseye-security main > > > > deb https://deb.debian.org/debian-security bullseye-security main > > > > deb http://security.debian.org testing/updates main > > The first and the third are legitimate lines. I am unsure about the > other two, particulary the last one.
The fourth one is definitely wrong, because the repository changed from foo/updates to foo-security during the bullseye release cycle. The second one *appears* to work, or at least, I get something that doesn't look totally wrong when I paste http://security.debian.org and bullseye-security into a browser's URL bar, and then put /dists/ in between them. But that doesn't make it a good idea to use the second one, because who knows whether it will continue working into the future. Also, there's the wee little fact that testing is no longer a synonym for bullseye, and therefore even if the fourth one *did* work, it wouldn't be equivalent to the other three. So, that really leaves us with two: deb http://security.debian.org/debian-security bullseye-security main deb https://deb.debian.org/debian-security bullseye-security main The difference between these two is which mirror network (and really, which mirroring *paradigm*) is used. The first one uses a DNS round robin that points to a rather limited set of servers, easily overloaded when there's a huge security update (e.g. a kernel). The other one uses the deb.debian.org infrastructure with its fancy DNS SRV records and so on. See <http://deb.debian.org/> for details. I'm not sure when debian-security got added to the deb.debian.org infrastructure; it's pretty new, I think. Thus, a lot of people may not even know that it's an option.
