Bug#366715: installation-report: Installer gets stuck if it can't access security.debian.org
On Thu, May 11, 2006 at 06:57:30AM +0200, Christian Perrier wrote: > > I wonder whether we could have a kind of compromise here: > > -keep the current behaviour when a regular mirror has been chosen > > -at least ask for a proxy for security.d.o when the mirror settings > have been entered manually The current situation when using a CD installation: - It asks: "Use a network mirror?", and I answer no - It hangs for some time (90 sec?) with (I think): "Scanning the security updates repository..." - You get a message that it failed and that it's commented out. Kurt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#366715: installation-report: Installer gets stuck if it can't access security.debian.org
On Thu, 2006-05-11 at 06:57 +0200, Christian Perrier wrote: [snip] > I wonder whether we could have a kind of compromise here: > > -keep the current behaviour when a regular mirror has been chosen > > -at least ask for a proxy for security.d.o when the mirror settings > have been entered manually Excellent suggestion - this would maintain the desired simplicity whilst allowing the installer to cope in a situation which is all too common. John -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#366715: installation-report: Installer gets stuck if it can't access security.debian.org
> > 1) Ask before attempting to get security updates. (Obviously default to > > yes). > > There's no good reason to ask. If the machine is network connected it > should make every possible effort to use security updates, doing > anything else is asking to be insecure. > > If you really want to disable it, you can preseed > apt-setup/security_host to an empty string, as documented in the > installation manual. > > > 2) Ask where to get them from. I have a local copy of them but there > > seems to be no way to tell the installer to use this local copy. > > apt-setup/security_host can be used to override this. > However, the security team doesn't like mirrors of security.debian.org, > and asking that kind of question in any regular install is counter to > our UI guidelines. We try to avoid asking questions when there's a > default that will work for 99.99% of users. I wonder whether we could have a kind of compromise here: -keep the current behaviour when a regular mirror has been chosen -at least ask for a proxy for security.d.o when the mirror settings have been entered manually In that latter case, it is very likely that the user has chosen a mirror which is internal to his/her organization. If we want to keep the behaviour where the installer always tries to reach security.d.o (and we do), we at least should do our best to be able to reach it. This is IMHO a quite common case in large organizations using Debian: machines are configured to use an internal mirror and will only use external repositories for security updates. At least, this is exactly the setup I use in my own organization...:-) That doesn't completely answer John's question (always ask whether security.d.o should be used...which I disagree with for default installs) but that would help in many setups. This proposed change is however not that hard to code as this implies to setup a per-host proxy setting in the generated apt settings. signature.asc Description: Digital signature
Bug#366715: installation-report: Installer gets stuck if it can't access security.debian.org
John Winters wrote: > > > > > 1) Ask before attempting to get security updates. (Obviously default to > > > yes). > > > > There's no good reason to ask. > > Well, no - clearly there is a good reason to ask. > > > If the machine is network connected it > > should make every possible effort to use security updates, > > True, and by failing to ask it is not making every possible effort to > use them. No, you're conflating asking whether to use security updates, with asking where to get them from. > > If you really want to disable it, you can preseed > > apt-setup/security_host to an empty string, as documented in the > > installation manual. > > Where? I've read all the apparently relevant chunks of the installation > manual but can find nothing like that documented in it. It's in the appendix on preseeding. > Clearly you have little experience of real-world networks. This is just > the sort of problem which a non-admin on a Windows network has to deal > with on a daily basis. > > If you have administrator access it's easy, but if not it's hard to > impossible. Yes, the particular network on which I was trying to do it > is badly set up, but the problem is equally the fault of bad defaults in > the Debian installer. Just saying, "It's the other components fault - > fix that" is the worst form of buck-passing. > > Sorry to be short, but it's been a long and hard day and you need to > realise that a response like yours does the Debian project (which I > greatly admire) absolutely no favours. Well, I'm sorry you feel that way, and I wish you luck in getting a better response from someone else. Although, you need to realize that with the above attitude, you're unlikely to. -- see shy jo, ta signature.asc Description: Digital signature
Bug#366715: installation-report: Installer gets stuck if it can't access security.debian.org
On Wed, 2006-05-10 at 16:38 -0400, Joey Hess wrote: > John Winters wrote: > > I'm trying to use the Debian Installer etch beta 2 to install systems > > within a fairly tightly firewalled network. > > > > Although the installer prompts to ask what repository it should use for > > the main packages it then tries to use a hard-coded source (presumably > > security.debian.org) to check for security updates, without first > > seeking permission to do this or guidance on how to do it. > > > > In our network, this fails (slowly) because all direct outgoing http > > requests > > are dropped at the firewall. After a significant delay a message > > appears explaining what has happened and offering the option to continue > > (it advises that the problem should be investigated and corrected > > later). If one then selects the "Continue" button, nothing further > > happens. The installation process does not move on and there's no way > > to get back to the menu. > > You need to wait for it to time out a second time. This problem has > already been fixed in apt-setup 0.10 unstable, which will only have the > first timeout and not the second. Glad to hear it. > > > 1) Ask before attempting to get security updates. (Obviously default to > > yes). > > There's no good reason to ask. Well, no - clearly there is a good reason to ask. > If the machine is network connected it > should make every possible effort to use security updates, True, and by failing to ask it is not making every possible effort to use them. > doing anything else is asking to be insecure. Because it doesn't ask the current behaviour is *less* secure than it could potentially be. The updates are there and available to be installed, but by being inflexible the installer *prevents* me using them. > If you really want to disable it, you can preseed > apt-setup/security_host to an empty string, as documented in the > installation manual. Where? I've read all the apparently relevant chunks of the installation manual but can find nothing like that documented in it. I've even had a fresh look now that you've told me it's there, and I still can't find it. The problem with a very large manual like that (with no index) is that it's only really useful to the person who wrote it, and thus who knows what's there. > > 2) Ask where to get them from. I have a local copy of them but there > > seems to be no way to tell the installer to use this local copy. > > apt-setup/security_host can be used to override this. > However, the security team doesn't like mirrors of security.debian.org, > and asking that kind of question in any regular install is counter to > our UI guidelines. We try to avoid asking questions when there's a > default that will work for 99.99% of users. > > > 3) Ask for proxy information. This can (and in our case does) differ > > from the proxy information needed to access the main package repository. > > Obviously again - default to the same proxy information as previously > > entered. > > While it seems that apt might support per-host proxy settings, I think > you'd be better off fixing your network. I doubt that anyone else will > ever have such a setup, Clearly you have little experience of real-world networks. This is just the sort of problem which a non-admin on a Windows network has to deal with on a daily basis. If you have administrator access it's easy, but if not it's hard to impossible. Yes, the particular network on which I was trying to do it is badly set up, but the problem is equally the fault of bad defaults in the Debian installer. Just saying, "It's the other components fault - fix that" is the worst form of buck-passing. Sorry to be short, but it's been a long and hard day and you need to realise that a response like yours does the Debian project (which I greatly admire) absolutely no favours. John -- John Winters, Wallingford, Oxon, England i = (free (NULL); i++); -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#366715: installation-report: Installer gets stuck if it can't access security.debian.org
John Winters wrote: > I'm trying to use the Debian Installer etch beta 2 to install systems > within a fairly tightly firewalled network. > > Although the installer prompts to ask what repository it should use for > the main packages it then tries to use a hard-coded source (presumably > security.debian.org) to check for security updates, without first > seeking permission to do this or guidance on how to do it. > > In our network, this fails (slowly) because all direct outgoing http requests > are dropped at the firewall. After a significant delay a message > appears explaining what has happened and offering the option to continue > (it advises that the problem should be investigated and corrected > later). If one then selects the "Continue" button, nothing further > happens. The installation process does not move on and there's no way > to get back to the menu. You need to wait for it to time out a second time. This problem has already been fixed in apt-setup 0.10 unstable, which will only have the first timeout and not the second. > 1) Ask before attempting to get security updates. (Obviously default to > yes). There's no good reason to ask. If the machine is network connected it should make every possible effort to use security updates, doing anything else is asking to be insecure. If you really want to disable it, you can preseed apt-setup/security_host to an empty string, as documented in the installation manual. > 2) Ask where to get them from. I have a local copy of them but there > seems to be no way to tell the installer to use this local copy. apt-setup/security_host can be used to override this. However, the security team doesn't like mirrors of security.debian.org, and asking that kind of question in any regular install is counter to our UI guidelines. We try to avoid asking questions when there's a default that will work for 99.99% of users. > 3) Ask for proxy information. This can (and in our case does) differ > from the proxy information needed to access the main package repository. > Obviously again - default to the same proxy information as previously > entered. While it seems that apt might support per-host proxy settings, I think you'd be better off fixing your network. I doubt that anyone else will ever have such a setup, but we do accept patches... -- see shy jo signature.asc Description: Digital signature
Bug#366715: installation-report: Installer gets stuck if it can't access security.debian.org
Package: installation-report Severity: important I'm trying to use the Debian Installer etch beta 2 to install systems within a fairly tightly firewalled network. Although the installer prompts to ask what repository it should use for the main packages it then tries to use a hard-coded source (presumably security.debian.org) to check for security updates, without first seeking permission to do this or guidance on how to do it. In our network, this fails (slowly) because all direct outgoing http requests are dropped at the firewall. After a significant delay a message appears explaining what has happened and offering the option to continue (it advises that the problem should be investigated and corrected later). If one then selects the "Continue" button, nothing further happens. The installation process does not move on and there's no way to get back to the menu. Apart from fixing this "getting stuck" problem, can I suggest the following enhancements to the installer: 1) Ask before attempting to get security updates. (Obviously default to yes). 2) Ask where to get them from. I have a local copy of them but there seems to be no way to tell the installer to use this local copy. 3) Ask for proxy information. This can (and in our case does) differ from the proxy information needed to access the main package repository. Obviously again - default to the same proxy information as previously entered. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.16.2-bluebox3 Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) (ignored: LC_ALL set to en_GB) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
