Page MenuHomePhabricator

[Debian bullseye image] APT source-list file is not up to date
Closed, ResolvedPublicBUG REPORT

Description

List of steps to reproduce:

What happens?
HTTP 404 on the Debian security repository.

What should have happened instead?
a proper APT update.

Details:

deb {{security}} {{codename}}/updates main
deb-src {{security}} {{codename}}/updates main
  • for some reason, there are no Wikimedia mirrors for the Debian security repos

Event Timeline

bd808 triaged this task as High priority.Nov 8 2021, 6:54 PM
bd808 added a subscriber: bd808.

Bullseye instances are not getting security patches via auto-update as a result of this.

I've just confirmed that this still happens

Change 751498 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] cloud-vps: puppetize /etc/apt/sources.list

https://gerrit.wikimedia.org/r/751498

Change 751498 merged by Andrew Bogott:

[operations/puppet@production] cloud-vps: puppetize /etc/apt/sources.list

https://gerrit.wikimedia.org/r/751498

Andrew claimed this task.
Andrew added subscribers: taavi, Dzahn.

@Majavah reminded me about this issue and caught me up with the latest. A few points:

  • there are no Wikimedia mirrors for the Debian security repos for any version, and that's the recommended practice by the Debian folks. So no issue there.
  • our version of cloud-init doesn't know about the new naming scheme, which is why we get the wrong source entries
  • the latest version of cloud-init DOES know about the new naming scheme but, weirdly, this version of cloud-init doesn't ship with bullseye even though bullseye needs it

at this point @Dzahn chimed in to point out that prod has correct templates for handling sources.list for bullseye and busted. This led us around to T264311, the neglected goal of unifying prod sources.list puppet manifests with cloud-vps.

So, I was bold/reckless and pushed ahead on T264311 which has also resolved this issue.

I don't love that we have a cloud-init-determined sources.list for the first few apt actions and then a slightly different sources.list subsequently, but as far as I can tell it's harmless in practice (and mostly unavoidable.)