On Mon 06 Sep 2021 at 08:34:44 -0400, Greg Wooledge wrote: > On Mon, Sep 06, 2021 at 11:42:52AM +0100, Brian wrote: > > On Mon 06 Sep 2021 at 06:53:25 -0300, riveravaldez wrote: > > > after reading the various sources of documentation (handbook, > > > wiki, FAQs, Release Notes, etc.) I think I'm finding myself with > > > kinda four options for the security line in /etc/apt/sources.list > > > Those being: > > > > > > deb http://security.debian.org/debian-security bullseye-security main > > > > > > deb http://security.debian.org bullseye-security main > > > > > > deb https://deb.debian.org/debian-security bullseye-security main > > > > > > deb http://security.debian.org testing/updates main > > > > The first and the third are legitimate lines. I am unsure about the > > other two, particulary the last one. > > The fourth one is definitely wrong, because the repository changed > from foo/updates to foo-security during the bullseye release cycle. > > The second one *appears* to work, or at least, I get something that > doesn't look totally wrong when I paste http://security.debian.org > and bullseye-security into a browser's URL bar, and then put /dists/ > in between them. > > But that doesn't make it a good idea to use the second one, because > who knows whether it will continue working into the future.
It is always a good idea to go with the flow in cases like this. > Also, there's the wee little fact that testing is no longer a synonym > for bullseye, and therefore even if the fourth one *did* work, it > wouldn't be equivalent to the other three. > > So, that really leaves us with two: > > deb http://security.debian.org/debian-security bullseye-security main > > deb https://deb.debian.org/debian-security bullseye-security main > > The difference between these two is which mirror network (and really, > which mirroring *paradigm*) is used. The first one uses a DNS round > robin that points to a rather limited set of servers, easily overloaded > when there's a huge security update (e.g. a kernel). > > The other one uses the deb.debian.org infrastructure with its fancy DNS > SRV records and so on. See <http://deb.debian.org/> for details. > > I'm not sure when debian-security got added to the deb.debian.org > infrastructure; it's pretty new, I think. Thus, a lot of people may > not even know that it's an option. I have deb http://deb.debian.org/debian-security bullseye-security main but acknowledge that the Release Notes for bullseye has deb https://deb.debian.org/debian-security bullseye-security main IMO, either is suitable, but there is an opinion that the second is to be preferred because many users expect to be given https transport to use. -- Brian.
