Bug#1050179: dgit: unable to clone -security suites (?since bullseye)
Hi,
The commit message in my previous patch was confused (author error, I
have to work hard to remember the order buster-bullseye-bookworm).
Here's a revised version with a correct commit message, the code is the
same.
Regards,
MatthewFrom aab5bd302ff9de69b5e8585ac4051df42049f957 Mon Sep 17 00:00:00 2001
From: Matthew Vernon
Date: Mon, 21 Aug 2023 16:10:11 +0100
Subject: [PATCH] Use the old /updates security map for buster (Closes:
#1050179)
The suite-map and suite-rmap for debian-security are necessary for the
pre-bullseye layout of the security.debian.org archive.
Since bullseye (i.e. after buster), the archive layout has changed,
and these mappings are no longer necessary (indeed, they cause dgit
clone to fail to work with bullseye and later security suites).
Buster is the oldest suite still available on security.debian.org, so
this is the only suite we still need the mapping for.
Signed-off-by: Matthew Vernon
---
dgit | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/dgit b/dgit
index 30d76299..1b02f8de 100755
--- a/dgit
+++ b/dgit
@@ -794,8 +794,8 @@ our %defcfg = ('dgit.default.distro' => 'debian',
'dgit-distro.debian.mirror' => 'http://ftp.debian.org/debian/',
'dgit-distro.debian-security.archive-query' => 'aptget:',
'dgit-distro.debian-security.mirror' => 'http://security.debian.org/debian-security/',
- 'dgit-distro.debian-security.aptget-suite-map' => 's#-security$#/updates#',
- 'dgit-distro.debian-security.aptget-suite-rmap' => 's#$#-security#',
+ 'dgit-distro.debian-security.aptget-suite-map' => 's#buster-security$#buster/updates#',
+ 'dgit-distro.debian-security.aptget-suite-rmap' => 's#buster$#buster-security#',
'dgit-distro.debian-security.nominal-distro' => 'debian',
'dgit-distro.debian.backports-quirk' => '(squeeze)-backports*',
'dgit-distro.debian-backports.mirror' => 'http://backports.debian.org/debian-backports/',
--
2.39.2
Bug#1050179: dgit: unable to clone -security suites (?since bullseye)
control: tags 1050179 +patch
quit
On 21/08/2023 15:21, Ian Jackson wrote:
Thanks for the report and the investigation!
Matthew Vernon writes ("Bug#1050179: dgit: unable to clone -security suites (?since
bullseye)"):
The difficulty is that there is AFAICT no version-knowledge in these
map/rmap entries - one would prefer to apply the map for suites <
bullseye and not for >=bullseye
The usual approach is to list *all* old codenames (at least, any that
still have any existence anywhere) and assume that unknown codenames
are newer.
There is in fact only one suite where this is still germane, since
pre-buster suites are no longer available on security.debian.org at all.
Given which, the attached patch works for me (with it I can clone bind9
for stable,-security oldstable,-security and oldoldstable,-security
without needing any -c arguments).
HTH,
Matthew
From 2278aa8b77365599b7f48301502777cfae2bfe3a Mon Sep 17 00:00:00 2001
From: Matthew Vernon
Date: Mon, 21 Aug 2023 16:10:11 +0100
Subject: [PATCH] Use the old /updates security map for buster (Closes:
#1050179)
The suite-map and suite-rmap for debian-security are necessary for the
pre-bullseye layout of the security.debian.org archive.
Since bookworm, the archive layout has changed, and these mappings are
no longer necessary (indeed, they cause dgit clone to fail to work
with bookworm and later security suites).
Buster is the oldest suite still available on security.debian.org, so
this is the only suite we still need the mapping for.
Signed-off-by: Matthew Vernon
---
dgit | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/dgit b/dgit
index 30d76299..1b02f8de 100755
--- a/dgit
+++ b/dgit
@@ -794,8 +794,8 @@ our %defcfg = ('dgit.default.distro' => 'debian',
'dgit-distro.debian.mirror' => 'http://ftp.debian.org/debian/',
'dgit-distro.debian-security.archive-query' => 'aptget:',
'dgit-distro.debian-security.mirror' => 'http://security.debian.org/debian-security/',
- 'dgit-distro.debian-security.aptget-suite-map' => 's#-security$#/updates#',
- 'dgit-distro.debian-security.aptget-suite-rmap' => 's#$#-security#',
+ 'dgit-distro.debian-security.aptget-suite-map' => 's#buster-security$#buster/updates#',
+ 'dgit-distro.debian-security.aptget-suite-rmap' => 's#buster$#buster-security#',
'dgit-distro.debian-security.nominal-distro' => 'debian',
'dgit-distro.debian.backports-quirk' => '(squeeze)-backports*',
'dgit-distro.debian-backports.mirror' => 'http://backports.debian.org/debian-backports/',
--
2.39.2
Bug#1050179: dgit: unable to clone -security suites (?since bullseye)
Thanks for the report and the investigation!
Matthew Vernon writes ("Bug#1050179: dgit: unable to clone -security suites
(?since bullseye)"):
> The difficulty is that there is AFAICT no version-knowledge in these
> map/rmap entries - one would prefer to apply the map for suites <
> bullseye and not for >=bullseye
The usual approach is to list *all* old codenames (at least, any that
still have any existence anywhere) and assume that unknown codenames
are newer.
> IMO, this would be worth a backport to at least stable when fixed -
> it's a bit sad that this functionality is broken since it's quite
> useful for end-users of dgit and helps make sure they get security
> updates.
I agree.
--
Ian JacksonThese opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
Bug#1050179: dgit: unable to clone -security suites (?since bullseye)
Package: dgit Version: 10.7 Severity: important Hi, It's suggested (in e.g. dgit-user(7)) to clone a combined ,-security suite. But this does not work (transcript 0 below), with an error about missing Release file: E: The repository 'http://security.debian.org/debian-security bookworm/updates Release' does not have a Release file. I think this is because the suit map/rmap for debian-security are wrong: dgit: 'dgit-distro.debian-security.aptget-suite-map' => 's#-security$#/updates#', dgit: 'dgit-distro.debian-security.aptget-suite-rmap' => 's#$#-security#', Debian changed its security suite names starting with bullseye from /updates to -security: https://lists.debian.org/debian-devel-announce/2019/07/msg4.html If I disable both mappings I can then clone pcre2 stable,-security with a warning that pcre2 can't be found in the (security) archive which I think is correct. That was done thus: dgit -cdgit-distro.debian-security.aptget-suite-map='' -cdgit-distro.debian-security.aptget-suite-rmap='' clone pcre2 stable,-security Transcript 1 below contains the full output of that command. By way of checking that this works where there has been a security update, I cloned bind9 stable,-security and checked that left me at 1:9.18.16-1~deb12u1 (the security release) - see Transcript 2. Likewise, dgit merge/pull work with the map & rmap unset. The difficulty is that there is AFAICT no version-knowledge in these map/rmap entries - one would prefer to apply the map for suites < bullseye and not for >=bullseye IMO, this would be worth a backport to at least stable when fixed - it's a bit sad that this functionality is broken since it's quite useful for end-users of dgit and helps make sure they get security updates. Thanks, Matthew *** BEGIN TRANSCRIPT 0 *** matthew@aragorn:~/junk$ dgit clone pcre2 stable,-security fetching stable... canonical suite name for stable is bookworm fetching existing git history last upload to archive: specified git info (debian) % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 2341k 100 2341k0 0 2322k 0 0:00:01 0:00:01 --:--:-- 2324k HEAD is now at be53c99 Changelog for 10.42-1 dgit [stable] ok: ready for work in pcre2 fetching bookworm-security... Ign:1 http://security.debian.org/debian-security bookworm/updates InRelease Err:2 http://security.debian.org/debian-security bookworm/updates Release 404 Not Found [IP: 2a04:4e42:82::644 80] Reading package lists... Done E: The repository 'http://security.debian.org/debian-security bookworm/updates Release' does not have a Release file. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. dgit [bookworm-security]: failed command: apt-get -c '/home/matthew/.cache/dgit/aptget/apt.conf#debian' update dgit [bookworm-security]: error: subprocess failed with error exit status 100 dgit: error: failed to obtain bookworm-security: failed with error exit status 255 *** END TRANSCRIPT 0 *** *** BEGIN TRANSCRIPT 1 *** matthew@aragorn:~/junk$ dgit -cdgit-distro.debian-security.aptget-suite-map='' -cdgit-distro.debian-security.aptget-suite-rmap='' clone pcre2 stable,-security fetching stable... canonical suite name for stable is bookworm fetching existing git history last upload to archive: specified git info (debian) % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 2341k 100 2341k0 0 2322k 0 0:00:01 0:00:01 --:--:-- 2324k HEAD is now at be53c99 Changelog for 10.42-1 dgit [stable] ok: ready for work in pcre2 fetching bookworm-security... Hit:1 http://security.debian.org/debian-security bookworm-security InRelease Reading package lists... Done canonical suite name is bookworm-security W: Unable to locate package pcre2 no version available from the archive dgit [bookworm-security]: source package pcre2 does not exist in suite bookworm-security calculated combined tracking suite bookworm,-security HEAD is now at be53c99 Changelog for 10.42-1 dgit ok: ready for work in pcre2 *** END TRANSCRIPT 1 *** *** BEGIN TRANSCRIPT 2 *** matthew@aragorn:~/junk$ dgit -cdgit-distro.debian-security.aptget-suite-map='' -cdgit-distro.debian-security.aptget-suite-rmap='' clone bind9 stable,-security fetching stable... canonical suite name for stable is bookworm starting new git history last upload to archive: NO git hash % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 5334k 100 5334k0 0 2352k 0 0:00:02 0:00:02 --:--:-- 2352k % Total% Received % Xferd Average Speed TimeTime Time Current
