On Tue 31 May 2022 at 14:58:00 +0200, Julien Cristau wrote: > On Tue, May 31, 2022 at 02:26:39PM +0200, David Prévot wrote: > > Package: www.debian.org,release-notes > > Severity: normal > > X-Debbugs-Cc: t...@security.debian.org > > > > Hi teams, > > > > The [errata] advises one to use > > > > deb http://security.debian.org/debian-security bullseye-security main > > contrib non-free > > > > while the [release-notes] advises > > > > deb https://deb.debian.org/debian-security bullseye-security main contrib > > > > Even if both will have the same result (the last time a non-free package > > was uploaded to the security archive may have been during Etch), having > > two different official advice makes it difficult in some situation > > (“what should we actually use?”). Is the use of HTTPS via deb.d.o > > preferable over HTTP via security.d.o? If so maybe the errata should be > > updated, if it’s the other way around, the realease-notes should be > > updated. > > > > errata: https://www.debian.org/releases/stable/errata#security > > release-notes: > > https://www.debian.org/releases/stable/amd64/release-notes/ch-information#security-archive > > > The release-notes version is preferred, as far as scheme and hostname.
There appears to be a consensus in favour of https. For example: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992692#37 Regards, Brian.
