search

aptly-dev / aptly

aptly - Debian repository management tool
https://www.aptly.info/
MIT License
2.58k stars 375 forks source link

Quirk setting up a mirror of bullseye-security #1031

Open sdelafond opened 2 years ago

sdelafond commented 2 years ago

The standard apt line would be something like:

deb https://deb.debian.org/debian-security bullseye-security main contrib non-free

However, the same in aptly does not work: 

$ aptly mirror create security http://deb.debian.org/debian-security/ bullseye-security main contrib non-free                                                                               
   Downloading http://deb.debian.org/debian-security/dists/bullseye-security/InRelease...                                                                                                      
   gpgv: Signature made Thu 10 Feb 2022 12:21:47 CET using RSA key ID E562B32A                                                                                                                 
   gpgv: Good signature from "Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>"                                                                                
   gpgv: Signature made Thu 10 Feb 2022 12:21:47 CET using RSA key ID BBB6E853                                                                                                                 
   gpgv: Good signature from "Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>"                                                                              
   ERROR: unable to fetch mirror: component main not available in repo [security]: http://deb.debian.org/debian-security/ bullseye-security, use -force-components to override

Detailed Description

It turns out that https://deb.debian.org/debian-security/dists/bullseye-security/InRelease
defines the components as:

Components: updates/main updates/contrib updates/non-free

And aptly needs them to be spelled out exactly that way, so this works: 

$ aptly mirror create security http://deb.debian.org/debian-security/ bullseye-security updates/main updates/contrib updates/non-free

It's rather surprising behaviour, and there's a working workaround,
although I did not dig into the root cause to figure out why Components
are defined that way, how apt makes it work, and what the consequences
of the work around could be.

Context

This is Debian bug 1005290 (https://bugs.debian.org/1005290).

Your Environment

Debian bullseye, aptly 1.4.0.

r4co0n commented 2 years ago

Please note that the security repository for releases prior to Debian 11 bullseye is shipped in another layout, see https://deb.debian.org/debian-security/dists/buster/updates/InRelease

Note dists/bullseye-security vs. dists/buster/updates with the same components in both Release-files. Starting with bullseye, updates/ is just a symlink to the parent directory, see https://deb.debian.org/debian-security/dists/bullseye-security/updates/updates/updates/updates/updates/updates/InRelease

This change requires Debian security mirrors for releases after Debian 10 buster to be configured differently in aptly, as discussed in #983.

sdelafond commented 2 years ago

I agree this is more a documentation bug than anything else, as it's a bit counter-intuitive for end-users since apt hides that detail about the component+symlink.