diff --git a/diskimage_builder/elements/debian-minimal/README.rst b/diskimage_builder/elements/debian-minimal/README.rst index aaea5d2e..2b6368e3 100644 --- a/diskimage_builder/elements/debian-minimal/README.rst +++ b/diskimage_builder/elements/debian-minimal/README.rst @@ -12,4 +12,11 @@ be created, the variable ``DIB_RELEASE`` can be set appropriately. Note that this element installs ``systemd-sysv`` as the init system +The element obeys the ``DIB_DISTRIBUTION_MIRROR`` argument for +mirroring (see ``debootsrap`` element documentation). However, the +security repositories are separate for Debian, so we can not assume +they exist at ``DIB_DISTRIBUTION_MIRROR``. If you do not wish to use +the upstream repository (from ``security.debian.org``) override it +with ``DIB_DEBIAN_SECURITY_MIRROR``. + .. element_deps:: diff --git a/diskimage_builder/elements/debian-minimal/environment.d/10-debian-minimal.bash b/diskimage_builder/elements/debian-minimal/environment.d/10-debian-minimal.bash index accb08c6..dad20965 100644 --- a/diskimage_builder/elements/debian-minimal/environment.d/10-debian-minimal.bash +++ b/diskimage_builder/elements/debian-minimal/environment.d/10-debian-minimal.bash @@ -6,6 +6,12 @@ if [ -n "${DIB_DEBIAN_DISTRIBUTION_MIRROR:-}" ]; then fi export DIB_DISTRIBUTION_MIRROR=${DIB_DISTRIBUTION_MIRROR:-http://deb.debian.org/debian} +# With Debian, security is in a different repository. We can't, say, +# assume "${DIB_DISTRIBUTION_MIRROR}-security" is valid. The only +# choice is for people to add it separately, otherwise we use +# upstream. +DIB_DEBIAN_SECURITY_MIRROR=${DIB_DEBIAN_SECURITY_MIRROR:-http://security.debian.org/} + export DIB_DEBIAN_COMPONENTS=${DIB_DEBIAN_COMPONENTS:-main} export DIB_DEBIAN_COMPONENTS_WS=${DIB_DEBIAN_COMPONENTS//,/ } @@ -13,7 +19,7 @@ DIB_APT_SOURCES_CONF_DEFAULT=\ "default:deb ${DIB_DISTRIBUTION_MIRROR} ${DIB_RELEASE} ${DIB_DEBIAN_COMPONENTS_WS} backports:deb ${DIB_DISTRIBUTION_MIRROR} ${DIB_RELEASE}-backports ${DIB_DEBIAN_COMPONENTS_WS} updates:deb ${DIB_DISTRIBUTION_MIRROR} ${DIB_RELEASE}-updates ${DIB_DEBIAN_COMPONENTS_WS} -security:deb http://security.debian.org/ ${DIB_RELEASE}/updates ${DIB_DEBIAN_COMPONENTS_WS} +security:deb ${DIB_DEBIAN_SECURITY_MIRROR} ${DIB_RELEASE}/updates ${DIB_DEBIAN_COMPONENTS_WS} " if [ "${DIB_RELEASE}" = "testing" -o "${DIB_RELEASE}" = "unstable" ]; then diff --git a/releasenotes/notes/debian-security-7279855cf464f88b.yaml b/releasenotes/notes/debian-security-7279855cf464f88b.yaml new file mode 100644 index 00000000..5777282b --- /dev/null +++ b/releasenotes/notes/debian-security-7279855cf464f88b.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + A new variable ``DIB_DEBIAN_SECURITY_MIRROR`` is added to override + the path to the security repositories. Previously this was + hard-coded to the upstream repositories, which could get out of + sync with mirrors specified with ``DIB_DISTRIBUTION_MIRROR``.