:: Re: [devuan-dev] vlc_broken_in_asci…
Top Page
Delete this message
Reply to this message
Author: KatolaZ
Date:  
To: devuan-dev
Subject: Re: [devuan-dev] vlc_broken_in_ascii?
On Tue, Jun 05, 2018 at 10:31:10AM +0200, Christoph Lechleitner wrote:

[cut]

>
> I wasn't actually using auto.mirror (I don't like auto-magic and I like local mirrors as well as filled proxies in our LANs), my sources.list had:
>
> 1. http://at.mirror.devuan.org/ as nearest mirror.
>
> 2. http://packages.devuan.org/ which at some point seemed to be the prime repository, to avoid problems from half-synced mirrors.
>


No need to have both. It's exactly the same machine. Look at the DNS
records.

>
> > We have already said everywhere that users should use deb.devuan.org,
>
> I didn't get that, but I may be reading the Dng list and other infos too fast and too superficial.
>


It was in the ASCII beta and RC release notes, and we have said over
and again on DNG :)

Will be put more clearly in the ASCIi Release notes.

>
> > especially with ascii. We must put this in the release notes for
> > ASCII, I guess.
>
> That sounds like a good idea.
>
>
> > I don't think that automatic tools are of any help in this case, since
> > sources.list can come in an enormous variety of forms, so an automatic
> > tool will always leave many users unhappy. It's better to ask them to
> > edit their files accordingly.
>
> There are ways on the repository and DNS side, too.
> They seem a bit harsh, so just for the record:
>
> 1. Old/wrong repositories could simply be shut down (DNS records removed) or emptied.
> This would create error messages that force the user to research the situation.
> Too brutal probably, and some might not get it and end without updates, and/or be scared away. Bad idea.
>
> 2. The DNS records pointing to old/wrong repositories could be altered so they point to better repositories.
> This would require the old names to be configured as server aliases in the webserver there.
>
> 3. The old/wrong repositories could HTTP-redirect to better repositories.
> I'm not sure how apt handles redirects.
>


None of those solution work, unfortunately, since the problem is in
the siging key used in the original repos. Moving or redirecting would
break Jessie installations. Long to explain, even if it looks easy and
simple. The plan is to decommission auto.mirror and
packages.devuan.org in due course. New installations should always use
deb.devuan.org.

>
> By the way,
> https://devuan.org/os/etc/apt/sources.list
> says to use
> http://deb.devuan.org/
> or
> http://{CC}.deb.devuan.org/
>
> It does NOT mention
> http://pkgmaster.devuan.org/
> at all.


That's correct, and I did not mention pkgmaster.devuan.org either.
ASCII users should use deb.devuan.org, which is a pool of 14 mirrors,
and not pkgmaster.devuan.org.

>
> Using this, i.e. only my country mirror
> http://at.deb.devuan.org/
> with ascii-updates and ascii-security added, would bring me back to
> vlc 3.0.2 from ascii-security (or 2.2.7 from ascii)
> conflicting with
> vlc-data 2.2.7 from ascii-security or ascii
>


$ apt-cache policy vlc-data
vlc-data:
  Installed: 3.0.2-0+deb9u1
  Candidate: 3.0.2-0+deb9u1
    Version table:
     *** 3.0.2-0+deb9u1 500
            500 http://pkgmaster.devuan.org/merged ascii-security/main amd64 Packages
            500 http://pkgmaster.devuan.org/merged ascii-security/main i386 Packages
            100 /var/lib/dpkg/status
         2.2.7-1~deb9u1 500
            500 http://pkgmaster.devuan.org/merged ascii/main amd64 Packages
            500 http://pkgmaster.devuan.org/merged ascii/main i386 Packages



You must probably be mixing repos here and/or have some pins in
place. What is the output of the above command in your case?

>
> What is the "correct" setup?
>
> For now I'm using
> http://{CC}.deb.devuan.org/
> as main source (protecting the central repository from too much load) plus
> http://pkgmaster.devuan.org/
> for bleeding edge security updates, and to circumvent problems like that vlc/vlc-data conflict?
>


Adding pkgmaster.devuan.org is useless, since *.deb.devuan.org are
synced from pkgmaster.devuan.org every 30 minutes. So you'd better use
only {CC}.deb.devuan.org.

>
> One more bit: The InRelease files on pkgmaster.devuan.org seem to be signed with a key that's not in devuan-keyring.
>
>


That's not true, otherwise apt would refuse to download and install
any package, and not only for you but for thousands of users out
there.

What is the output of:

# apt-cache policy devuan-keyring

please?

HND

KatolaZ

-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab  ]  
[     "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[       @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[     @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]