Bug#743892: please include security.debian.org in sources.list
On 8 April 2014 02:48, Jonathan Landis j...@calibersecurity.com wrote: Package: cloud.debian.org The heartbleed bug has created a situation in which servers must be upgraded immediately. At the moment the default mirrors listed in the Debian Wheezy AMI image don't have the patches yet, but security.debian.orgdoes. So users of the existing image have to update sources.list on each of their servers if they want to get patched ASAP. Is there any reason not to include security.debian.org in sources.list by default? -- To UNSUBSCRIBE, email to debian-cloud-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53434779.2010...@calibersecurity.com Is there any reason not to include security.debian.org in sources.list by default? Not really. There is a hanging PR at https://github.com/andsens/bootstrap-vz/pull/33 It's hanging because I never got an answer to my question: What's the difference between: http://security.debian.org/ wheezy/updates ... and http://http.debian.net/ wheezy-updates ... ? I am pretty sure only the first one should be there, but I can't for the life of me figure out why wheezy-updates was added. Is it a bogus source? The source is herehttps://github.com/andsens/bootstrap-vz/blob/399dfa3fa0bc792fb1b8adc633a9e5fefe3b05d7/bootstrapvz/common/tasks/apt.py#L31 .
Bug#743892: please include security.debian.org in sources.list
Le Tue, Apr 08, 2014 at 09:02:12AM +0200, Anders Ingemann a écrit : It's hanging because I never got an answer to my question: What's the difference between: http://security.debian.org/ wheezy/updates ... and http://http.debian.net/ wheezy-updates ... ? Sorry for this... Short answer: they are different, and the ressemblance is only coincidental. Each lines indicate an URL and a distribution. http://http.debian.net/ is a mirror of the Debian archive. The wheezy-updates distribution is there to together with wheezy, wheezy-backports, jessie, sid, etc. It contains the packages that will be part of the next point update. This inlcudes security updates, but not immediately after their release. http:/security.debian.org/ is not a section of the Debian archive, it is an archive on its own. If I remember correctly, the rationale for using a separate archive is that for a quick diffusion of security updates, it was better to avoid the lag caused by the mirroring of the regular archive. For wheezy, the distribution to pick is wheezy/updates. Both lines are really needed. Have a nice day, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#743892: please include security.debian.org in sources.list
On 8 April 2014 09:28, Charles Plessy ple...@debian.org wrote: Le Tue, Apr 08, 2014 at 09:02:12AM +0200, Anders Ingemann a écrit : It's hanging because I never got an answer to my question: What's the difference between: http://security.debian.org/ wheezy/updates ... and http://http.debian.net/ wheezy-updates ... ? Sorry for this... Short answer: they are different, and the ressemblance is only coincidental. Each lines indicate an URL and a distribution. http://http.debian.net/ is a mirror of the Debian archive. The wheezy-updates distribution is there to together with wheezy, wheezy-backports, jessie, sid, etc. It contains the packages that will be part of the next point update. This inlcudes security updates, but not immediately after their release. http:/security.debian.org/ is not a section of the Debian archive, it is an archive on its own. If I remember correctly, the rationale for using a separate archive is that for a quick diffusion of security updates, it was better to avoid the lag caused by the mirroring of the regular archive. For wheezy, the distribution to pick is wheezy/updates. Both lines are really needed. Have a nice day, -- Charles Plessy Tsurumi, Kanagawa, Japan Aha! Thanks for the detailed explanation Charles. I'll merge this tonight and put it in the master branch. Have a nice day I will ;-)
Bug#743892: please include security.debian.org in sources.list
Already merged about an hour ago ;-) Anders On 8 April 2014 16:57, Bromberger, James jame...@amazon.com wrote: I’ve pushed a patch to bootstrap-vz that should fix this; pending review and merge req pull by Anders. James James Bromberger *|* Solution Architect | Amazon Web Services *E: *jame...@amazon.com* P:* +61 422 166 708 *T:*@JamesBromberger *From:* Jimmy Kaplowitz [mailto:jkaplow...@google.com] *Sent:* Tuesday, 8 April 2014 5:22 PM *To:* Anders Ingemann; 743...@bugs.debian.org *Cc:* Jonathan Landis *Subject:* Bug#743892: please include security.debian.org in sources.list The http.debian.net source is presumably the wheezy version of this: http://www.debian.org/News/2011/20110215 - Jimmy On Tue, Apr 8, 2014 at 12:02 AM, Anders Ingemann and...@ingemann.de wrote: On 8 April 2014 02:48, Jonathan Landis j...@calibersecurity.com wrote: Package: cloud.debian.org The heartbleed bug has created a situation in which servers must be upgraded immediately. At the moment the default mirrors listed in the Debian Wheezy AMI image don't have the patches yet, but security.debian.org does. So users of the existing image have to update sources.list on each of their servers if they want to get patched ASAP. Is there any reason not to include security.debian.org in sources.list by default? -- To UNSUBSCRIBE, email to debian-cloud-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53434779.2010...@calibersecurity.com Is there any reason not to include security.debian.org in sources.list by default? Not really. There is a hanging PR at https://github.com/andsens/bootstrap-vz/pull/33 It's hanging because I never got an answer to my question: What's the difference between: http://security.debian.org/ wheezy/updates ... and http://http.debian.net/ wheezy-updates ... ? I am pretty sure only the first one should be there, but I can't for the life of me figure out why wheezy-updates was added. Is it a bogus source? The source is herehttps://github.com/andsens/bootstrap-vz/blob/399dfa3fa0bc792fb1b8adc633a9e5fefe3b05d7/bootstrapvz/common/tasks/apt.py#L31 .
Bug#743892: please include security.debian.org in sources.list
Thanks for patching quickly all! When can we expect the cloudfront.debian.net repos to be updated with the fix? On Tue, Apr 8, 2014 at 8:03 AM, Anders Ingemann and...@ingemann.de wrote: Already merged about an hour ago ;-) Anders On 8 April 2014 16:57, Bromberger, James jame...@amazon.com wrote: I've pushed a patch to bootstrap-vz that should fix this; pending review and merge req pull by Anders. James James Bromberger | Solution Architect | Amazon Web Services E: jame...@amazon.com P: +61 422 166 708 T:@JamesBromberger From: Jimmy Kaplowitz [mailto:jkaplow...@google.com] Sent: Tuesday, 8 April 2014 5:22 PM To: Anders Ingemann; 743...@bugs.debian.org Cc: Jonathan Landis Subject: Bug#743892: please include security.debian.org in sources.list The http.debian.net source is presumably the wheezy version of this: http://www.debian.org/News/2011/20110215 - Jimmy On Tue, Apr 8, 2014 at 12:02 AM, Anders Ingemann and...@ingemann.de wrote: On 8 April 2014 02:48, Jonathan Landis j...@calibersecurity.com wrote: Package: cloud.debian.org The heartbleed bug has created a situation in which servers must be upgraded immediately. At the moment the default mirrors listed in the Debian Wheezy AMI image don't have the patches yet, but security.debian.org does. So users of the existing image have to update sources.list on each of their servers if they want to get patched ASAP. Is there any reason not to include security.debian.org in sources.list by default? -- To UNSUBSCRIBE, email to debian-cloud-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53434779.2010...@calibersecurity.com Is there any reason not to include security.debian.org in sources.list by default? Not really. There is a hanging PR at https://github.com/andsens/bootstrap-vz/pull/33 It's hanging because I never got an answer to my question: What's the difference between: http://security.debian.org/ wheezy/updates ... and http://http.debian.net/ wheezy-updates ... ? I am pretty sure only the first one should be there, but I can't for the life of me figure out why wheezy-updates was added. Is it a bogus source? The source is here. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#743892: please include security.debian.org in sources.list
Package: cloud.debian.org The heartbleed bug has created a situation in which servers must be upgraded immediately. At the moment the default mirrors listed in the Debian Wheezy AMI image don't have the patches yet, but security.debian.org does. So users of the existing image have to update sources.list on each of their servers if they want to get patched ASAP. Is there any reason not to include security.debian.org in sources.list by default? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#743892: please include security.debian.org in sources.list
The AWS ELB servers are apparently vulnerable, too, so don't update your SSL certs on ELB until they are confirmed fixed. https://forums.aws.amazon.com/thread.jspa?threadID=149690tstart=0 On Mon, Apr 7, 2014 at 5:48 PM, Jonathan Landis j...@calibersecurity.com wrote: Package: cloud.debian.org The heartbleed bug has created a situation in which servers must be upgraded immediately. At the moment the default mirrors listed in the Debian Wheezy AMI image don't have the patches yet, but security.debian.org does. So users of the existing image have to update sources.list on each of their servers if they want to get patched ASAP. Is there any reason not to include security.debian.org in sources.list by default? -- To UNSUBSCRIBE, email to debian-cloud-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53434779.2010...@calibersecurity.com -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org