[xen-tools-dev] Ubuntu, debootstrap, and -updates / -security repositories

Stéphane Jourdois sjourdois at gmail.com
Sat Oct 30 18:11:54 CEST 2010 

Le 29/10/2010 04:40, Nathan O'Sullivan a écrit :
> Ubuntu's lucid release (10.04) has had its point release taking it to
> 10.04.1. Ubuntu choose to distribute this within a second repository
> tree (as lucid-updates) rather than within the base "lucid" suite.
>
> They also choose to distribute security updates through another tree (as
> lucid-security) rather than within the base "lucid" suite.
>
> The relevant hook script (
> http://gitorious.org/xen-tools/xen-tools/blobs/master/hooks/karmic/20-setup-apt
> ) knows about this, and inserts the -updates and -security entries into
> /etc/apt/sources.list before calling "apt-get update"
>
> Debootstrap on the other hand, does not seem to know about/support this
> (?), with the end result being that upon booting into a Lucid domU,
> you're immediately told that there's 30-40 packages that should be
> upgraded. Potential options:
>
> 1. Do nothing. I do not see this as being particularly desirable - why
> should a new domU be forced to manually update?
> 2. File a bug against debootstrap, if we consider it a bug (?)
> 3. Revise 20-setup-apt so that the -updates and -security entries are
> commented out by default; this would at least make the domU appear fully
> up to date in terms of its initial deployment.
> 4. Revise 20-setup-apt so that it runs "apt-get upgrade" after "apt-get
> update".
>
> Thoughts?

Hi, and thanks for this report.

The real problem here is that we install "original distributions", not 
including security updates nor bug fixes released after. It applies to 
lenny, for example, where I always have to run apt-get upgrade just 
after install (apt-get update is run by xen-tools).

This is not a debootstrap bug, and even if it were, we still would have 
to fix it when not using debootstrap and for other distributions. Feel 
free to submit this though to debootstrap :-)

20-setup-apt only applies to debian/ubuntu, and we have to implement the 
same fix for centos/redhat/suse/etc. We _cannot_ have some distributions 
installed with fixes while other are not.

At least, for the next bug-fix release, we should warn the user that he
_has_ to apply security/bug fixes himself, using for example 
xen-update-image.

Let's wait for more thoughts about this hard one.

Stephane.

-- 
  ///  Stephane Jourdois     /"\  ASCII RIBBON CAMPAIGN \\\
(((    Consultant securite  \ /    AGAINST HTML MAIL    )))
  \\\   157 Bd Davout         X                         ///
   \\\  75020  Paris         / \    +33 6 8643 3085    ///

More information about the xen-tools-dev mailing list