Setup security.devuan.org repo
In #39 (closed) , @Bushytails reported:
- If it's bad to use security.debian.org currently, don't have it selected by default. Best option may be to create an empty security.devuan.org repo and select that by default, so users end up with updates automagically once devuan security is up and running.
And @CenturionDan replied:
Good point. We will be setting up the devuan security repo soon. Probably around the time we push the beta installer out. I have been looking into this.
-
Bumping this after discussion...
Consensus seems to be going towards using
deb http://packages.devuan.org/security stable main
, is that right? -
We've decided on http://packages.devuan.org/devuan <codename>-security main contrib non-free as that allows us to use the existing dak system for the packages.
We can merge that using amprolla with security.debian.org into http://packages.devuan.org/merged <codename>-security main contrib non-free.
We can do symlinks or url rewriting to make nicer urls.
Edited by Daniel Reurich -
I don't think we need nicer URLs, especially as ours as consistent already.
-
What if security.debian.org upgrade a package systemd related?
-
there are currently 381 packages depending on systemd or libsystemd0 ( @hellekin is currently writing a rather complex Packages analyzer to have more insights updated also on our new webpage)
can amprolla cache this sort of information, lets say have a list of "attentioned" packages and dependencies and warn if an "attentioned" package is updated via an overlay or if the overlay introduces an "attentioned" dependency
would this rather simple logic suffice, at least for now? we would then get a warning, amprolla would block the overlay and we'd be prompted to react and package the security update on our own.
-
@nextime amprolla for the /merged security repo's should detect and not merge those packages and instead warn us about them. We can then build our own patched version of the package. Detection can either be adding checking if the package is already built for that release of devuan or detecting the package has a dependency on libsystemd0 or libpam-systemd.
Packages that are called systemd, systemd-sysv, libpam-systemd can be excluded altogether as can most if not all packages that depend directly on systemd or systemd-sysv.
-
@jaromil @hellekin : I'd like to know how you came to the number 381, because for Jessie at least that number is much much lower... about 96 for all systemd and directly dependent packages.
For packages depending on libsystemd0 (excluding systemd parts) is 52
That is using "apt-rdepends -d -r libsystemd0 | grep -c libsytemd0"
-
381 is the number of packages with
+devuan
in their version, i.e., forked packages. 52 is the number of packages dependent onlibsystemd0
(50 if you don't count systemd and systemd-dbg):libaccountsservice0, acpi-fakekey, apt-cacher-ng, beanstalkd, cinnamon-screensaver, cinnamon-session, cinnamon-settings-daemon, clamav-daemon, erlang-base, erlang-base-hipe, fcgiwrap, gdm3, libgdm1, gnome-disk-utility, gnome-logs, gnome-screensaver, gnome-session-bin, gnome-shell, gnome-system-monitor, gvfs-daemons, libghc-libsystemd-journal-dev, inn, iodine, knot, knot-libs, lbcd, libguestfs0, light-locker, mate-screensaver, mate-session-manager, monopd, mpd, libmutter0e, network-manager, nsca-ng-server, onak, packagekit, php5-fpm, realmd, remctl-server, sane-utils, spice-vdagent, stunnel4, syslog-ng-core, libsystemd-dev, python3-systemd, systemd, systemd-dbg, tgt, transmission-daemon, weston
I wonder what
erlang-base
is doing in this list. So sane to add a system dependency on a programming language. WTG Major Kong. -
Yes, sorry I confused the numbers in my post. Meanwhile I gave @hellekin access to O'Beardly server where the apt-mirror is, which is very useful for that without downloading all Packages files.
@CenturionDan since you setup the apt-mirror, can you add into the motd documentation the commands to correctly update it? Or should it be updating with a cronjob?
-
I just changed it manually - /etc/motd (I think). It would be good to make it easier...
-
I have a request. Would it at all be possible to serve packages over https? Yes I know this is more expensive bandwidth and CPU wise. But it would be a significant value add over the main Debian repos. Also I'm a linux sys admin by trade I can help out with things if needed.
-
@wontonsoup all devuan repos are already (also) over https.
-
@wontonsoup you need to install
apt-transport-https
to use them. -
Are we done here?
-
yes
-
Status changed to closed