apt-setup/security_host is ignored

I discussed this with Colin Watson via IRC, and I believe he's committed a fix for this. I'm filing this bug to ensure the fixed base-installer gets into Hardy.

This bug was fixed in the package base-installer - 1.86ubuntu9

---------------
base-installer (1.86ubuntu9) jaunty; urgency=low

  * Use the correct mirror for -security in the event of
    apt-setup/security_host being preseeded (LP: #306356).

 -- Colin Watson <email address hidden> Mon, 15 Dec 2008 12:05:18 +0000

I've uploaded fixes for dapper/hardy/intrepid, and would appreciate review.

Accepted into hardy-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Accepted into dapper-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Accepted into intrepid-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

What's going to be the easiest way to test this new udeb? Normally it comes already inside the installer.

Actually, no, it doesn't - base-installer is acquired by the installer at run-time.

For hardy and intrepid, pass apt-setup/proposed=true to the installer on the kernel command line.

For dapper it's more effort. I suspect the easiest way is to make sure that you aren't preseeding the locale, and then when the locale prompt appears, switch to Alt-F2 and edit line 113 of /usr/lib/debian-installer/retriever/net-retriever to add "$codename-proposed" after "$codename-security", so that the line looks like this:

                for codename_extra in "$codename" "$codename-updates" "$codename-security" "$codename-proposed"; do

Colin, I don't think the testcase in the description is quite correct. I used the netboot image from http://archive.ubuntu.com/ubuntu/dists/hardy-proposed/main/installer-i386/20070308ubuntu40.7/images/netboot/mini.iso with an apt-setup/security_host option that pointed to an non-available ip address. There's no mention of security.ubuntu.com in the resultant /var/log/installer/syslog; however, the security archive information was successfully pulled from:

  base-installer: Get:2 http://us.archive.ubuntu.com hardy-security Release.gpg [189B]
  base-installer: Get:4 http://us.archive.ubuntu.com hardy-security Release [58.5kB]
  base-installer: Get:7 http://us.archive.ubuntu.com hardy-security/main Packages [114kB]
  base-installer: Get:8 http://us.archive.ubuntu.com hardy-security/restricted Packages [7487B]

which is what I would expect would happen if $MIRROR is used instead of $SECMIRROR, based on the code snippet above. I do note that later on apt-setup fails to download the hardy-security repo from the non-reachable ip address, and (I believe, but need to reverify) that /etc/apt/sources.list was set up correctly to point to the alternate security host (which confuses me based on the code snippet above).

Using the same netboot image, with the same apt-setup/security_host option plus the addition apt-set/proposed=true argument, those downloads fail with:

  base-installer: Err http://192.168.1.210 hardy-security Release.gpg
  base-installer: Could not connect to 192.168.1.210:3142 (192.168.1.210). - connect (111 Connection refused)
  base-installer: W:
  base-installer: Failed to fetch http://192.168.1.210:3142/ubuntu/dists/hardy-security/Release.gpg Could not connect to 192.168.1.210:3142 (192.168.1.210). - connect (111 Connection refused)
  base-installer:
  base-installer: W:
  base-installer: Some index files failed to download, they have been ignored, or old ones used instead.
  base-installer:
  base-installer: W:
  base-installer: You may want to run apt-get update to correct these problems
  base-installer:

(In both instances there were non-relevant lines interspersed that I removed, but I'll attach the syslog from both runs.)

I *think* this issue is verified for hardy, but I'd like confirmation from Colin on this.

And the log from the installation with apt-setup/proposed=true.

Ah, yes, the sources.list after an installation that doesn't use hardy-proposed has the following in it:

  # deb http://us.archive.ubuntu.com/ubuntu hardy-security main restricted
  deb http://192.168.1.210:3142/ubuntu hardy-security main restricted
  deb-src http://192.168.1.210:3142/ubuntu hardy-security main restricted

which indicates it initially used $MIRROR, then later used $SECMIRROR.

In the above, I should add that the version of /etc/apt/sources.list when using base-installer from hardy-proposed references the passed in security_host in the commented out line for hardy-security.

I've now verified the same behavior for intrepid, using the netboot iso at http://archive.ubuntu.com/ubuntu/dists/intrepid/main/installer-i386/20080522ubuntu23/images/netboot/mini.iso (the current intrepid-proposed netboot iso doesn't boot due to kernel version mismatches); without proposed, base-installer gets security archive information the first time off of archive.ubuntu.com instead of the apt-setup/security_host value. Using apt-setup/proposed=true, which pulls in the base-installer from intrepid-proposed causes all attempts to grab information for the intrepid-security repo to use the apt-setup/security_host value.

Yes, I think the test case is wrong - I should indeed have written archive.ubuntu.com.*security (or some such) rather than security.ubuntu.com. In fact I think this represents a pre-existing bug in base-installer, but not a very serious one.

Steve points out on IRC that that pre-existing bug is indeed this same bug. Sorry, not enough coffee.

I've corrected the test case now.

And finally, confirmation on dapper that the issue is fixed there as well, after editing /usr/lib/debian-installer/retriever/net-retriever to include the proposed repository as well. Marking as verification-done.

This bug was fixed in the package base-installer - 1.86ubuntu2.3

---------------
base-installer (1.86ubuntu2.3) hardy-proposed; urgency=low

  * Use the correct mirror for -security in the event of
    apt-setup/security_host being preseeded (LP: #306356).

 -- Colin Watson <email address hidden> Mon, 15 Dec 2008 12:16:07 +0000

This bug was fixed in the package base-installer - 1.86ubuntu7.1

---------------
base-installer (1.86ubuntu7.1) intrepid-proposed; urgency=low

  * Use the correct mirror for -security in the event of
    apt-setup/security_host being preseeded (LP: #306356).

 -- Colin Watson <email address hidden> Mon, 15 Dec 2008 13:38:05 +0000

This bug was fixed in the package base-installer - 1.42ubuntu14

---------------
base-installer (1.42ubuntu14) dapper-proposed; urgency=low

  * Use the correct mirror for -security in the event of
    apt-setup/security_host being preseeded (LP: #306356).

 -- Colin Watson <email address hidden> Mon, 15 Dec 2008 12:08:52 +0000