From 9b201b58b99c1289dd2e8352455f767056614e9a Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Wed, 2 Oct 2019 16:06:47 +0000 Subject: [PATCH] Add security mirror override for debian-minimal Add option to set the security mirror URL independently in the debian-minimal element, since this can not be overriden by the standard DIB_DISTRIBUTION_MIRROR variable. Change-Id: I145844a410d06a479e68db1bf6d5d0159389305c --- diskimage_builder/elements/debian-minimal/README.rst | 7 +++++++ .../debian-minimal/environment.d/10-debian-minimal.bash | 8 +++++++- releasenotes/notes/debian-security-7279855cf464f88b.yaml | 7 +++++++ 3 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/debian-security-7279855cf464f88b.yaml diff --git a/diskimage_builder/elements/debian-minimal/README.rst b/diskimage_builder/elements/debian-minimal/README.rst index aaea5d2e..2b6368e3 100644 --- a/diskimage_builder/elements/debian-minimal/README.rst +++ b/diskimage_builder/elements/debian-minimal/README.rst @@ -12,4 +12,11 @@ be created, the variable ``DIB_RELEASE`` can be set appropriately. Note that this element installs ``systemd-sysv`` as the init system +The element obeys the ``DIB_DISTRIBUTION_MIRROR`` argument for +mirroring (see ``debootsrap`` element documentation). However, the +security repositories are separate for Debian, so we can not assume +they exist at ``DIB_DISTRIBUTION_MIRROR``. If you do not wish to use +the upstream repository (from ``security.debian.org``) override it +with ``DIB_DEBIAN_SECURITY_MIRROR``. + .. element_deps:: diff --git a/diskimage_builder/elements/debian-minimal/environment.d/10-debian-minimal.bash b/diskimage_builder/elements/debian-minimal/environment.d/10-debian-minimal.bash index accb08c6..dad20965 100644 --- a/diskimage_builder/elements/debian-minimal/environment.d/10-debian-minimal.bash +++ b/diskimage_builder/elements/debian-minimal/environment.d/10-debian-minimal.bash @@ -6,6 +6,12 @@ if [ -n "${DIB_DEBIAN_DISTRIBUTION_MIRROR:-}" ]; then fi export DIB_DISTRIBUTION_MIRROR=${DIB_DISTRIBUTION_MIRROR:-http://deb.debian.org/debian} +# With Debian, security is in a different repository. We can't, say, +# assume "${DIB_DISTRIBUTION_MIRROR}-security" is valid. The only +# choice is for people to add it separately, otherwise we use +# upstream. +DIB_DEBIAN_SECURITY_MIRROR=${DIB_DEBIAN_SECURITY_MIRROR:-http://security.debian.org/} + export DIB_DEBIAN_COMPONENTS=${DIB_DEBIAN_COMPONENTS:-main} export DIB_DEBIAN_COMPONENTS_WS=${DIB_DEBIAN_COMPONENTS//,/ } @@ -13,7 +19,7 @@ DIB_APT_SOURCES_CONF_DEFAULT=\ "default:deb ${DIB_DISTRIBUTION_MIRROR} ${DIB_RELEASE} ${DIB_DEBIAN_COMPONENTS_WS} backports:deb ${DIB_DISTRIBUTION_MIRROR} ${DIB_RELEASE}-backports ${DIB_DEBIAN_COMPONENTS_WS} updates:deb ${DIB_DISTRIBUTION_MIRROR} ${DIB_RELEASE}-updates ${DIB_DEBIAN_COMPONENTS_WS} -security:deb http://security.debian.org/ ${DIB_RELEASE}/updates ${DIB_DEBIAN_COMPONENTS_WS} +security:deb ${DIB_DEBIAN_SECURITY_MIRROR} ${DIB_RELEASE}/updates ${DIB_DEBIAN_COMPONENTS_WS} " if [ "${DIB_RELEASE}" = "testing" -o "${DIB_RELEASE}" = "unstable" ]; then diff --git a/releasenotes/notes/debian-security-7279855cf464f88b.yaml b/releasenotes/notes/debian-security-7279855cf464f88b.yaml new file mode 100644 index 00000000..5777282b --- /dev/null +++ b/releasenotes/notes/debian-security-7279855cf464f88b.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + A new variable ``DIB_DEBIAN_SECURITY_MIRROR`` is added to override + the path to the security repositories. Previously this was + hard-coded to the upstream repositories, which could get out of + sync with mirrors specified with ``DIB_DISTRIBUTION_MIRROR``.