Package: cdimage.debian.org
Severity: critical
Justification: root security hole
After grabing yesterday's i386 sarge businesscard CD (3.1r0) and
installing, during base-config, apt-config thinks the system is
"testing", and tries to insert use the following sources line:
# deb http://security.debian.org/ testing/updates main contrib
Since that fails (as currently there is no "testing" security
repository), the user is warned, and apt-setup comments out the line,
and continues on with no security updates. Right now this causes any
newly installed sarge installation to never grab security fixes without
manual intervention, but when
http://security.debian.org/dists/testing/updates eventually exists,
dist-upgrades will start to try to grab testing security updates for a
stable system.
After a little digging, the source of the problem seems to be the
Release files on the installation CD:
dists/sarge/main/binary-i386/Release:
Archive: testing
Component: main
Origin: Debian
Label: Debian
Architecture: i386
This manifests itself in "apt-cache policy", which apt-setup uses to
determine whether an installation is stable/testing/unstable. Heck,
even reportbug thinks the system is testing (see below). I have
reproduced this problem on i386 businesscard and netinst images (haven't
tried CD sets or other arches yet).
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]