:: Re: [devuan-dev] vlc_broken_in_asci…
Top Page
Delete this message
Reply to this message
Author: Christoph Lechleitner
Date:  
To: devuan-dev
Subject: Re: [devuan-dev] vlc_broken_in_ascii?
Jaromil wrote:

> a user on twitter reported that vlc is broken


That was me. Thanks for answering there!


KatolaZ wrote:
> On Tue, Jun 05, 2018 at 06:41:59AM +0200, Jaromil wrote:
>
> > > ...or they are using auto.mirror.devuan.org, which shows the older version
> > > for vlc-data:
> > >
> > >      3.0.2-0+deb9u1 0
> > >        500 http://pkgmaster.devuan.org/merged/ ascii-security/main amd64

>
> > >
> > >      2.2.7-1~deb9u1 0
> > >        100 http://auto.mirror.devuan.org/merged/ ascii-security/main amd64


> > well spotted! me too just as Katolaz couldn't find the reason.
> >
> > now we know, is there any way we can avoid this situation created by
> > use of auto.mirror? is it still the default in the installer, or where
> > does it comes from?
>
> Then this is the latest quirk of the original amprolla... :(


In my case my sources.list grew from the first ever Devuan Jessie installer and the time the country mirrors were announced.

I wasn't actually using auto.mirror (I don't like auto-magic and I like local mirrors as well as filled proxies in our LANs), my sources.list had:

1. http://at.mirror.devuan.org/ as nearest mirror.

2. http://packages.devuan.org/ which at some point seemed to be the prime repository, to avoid problems from half-synced mirrors.


> We have already said everywhere that users should use deb.devuan.org,


I didn't get that, but I may be reading the Dng list and other infos too fast and too superficial.


> especially with ascii. We must put this in the release notes for
> ASCII, I guess.


That sounds like a good idea.


> I don't think that automatic tools are of any help in this case, since
> sources.list can come in an enormous variety of forms, so an automatic
> tool will always leave many users unhappy. It's better to ask them to
> edit their files accordingly.


There are ways on the repository and DNS side, too.
They seem a bit harsh, so just for the record:

1. Old/wrong repositories could simply be shut down (DNS records removed) or emptied.
This would create error messages that force the user to research the situation.
Too brutal probably, and some might not get it and end without updates, and/or be scared away. Bad idea.

2. The DNS records pointing to old/wrong repositories could be altered so they point to better repositories.
This would require the old names to be configured as server aliases in the webserver there.

3. The old/wrong repositories could HTTP-redirect to better repositories.
I'm not sure how apt handles redirects.


By the way,
https://devuan.org/os/etc/apt/sources.list
says to use
http://deb.devuan.org/
or
http://{CC}.deb.devuan.org/

It does NOT mention
http://pkgmaster.devuan.org/
at all.

Using this, i.e. only my country mirror
http://at.deb.devuan.org/
with ascii-updates and ascii-security added, would bring me back to
vlc 3.0.2 from ascii-security (or 2.2.7 from ascii)
conflicting with
vlc-data 2.2.7 from ascii-security or ascii


What is the "correct" setup?

For now I'm using
http://{CC}.deb.devuan.org/
as main source (protecting the central repository from too much load) plus
http://pkgmaster.devuan.org/
for bleeding edge security updates, and to circumvent problems like that vlc/vlc-data conflict?


One more bit: The InRelease files on pkgmaster.devuan.org seem to be signed with a key that's not in devuan-keyring.


Kind regards,

Christoph