Debian security release/updates does not have a Release file

[mbruzek]

The Debian template is building the security apt sources.list incorrectly. Apt update is failing with an error:

E: The repository 'http://security.debian.org bullseye/updates Release' does not have a Release file.

Steps to reproduce:

lxc-create --template debian --name bullseye-test -- --release bullseye
lxc-start bullseye-test                                                
lxc-attach bullseye-test
# apt update                                          
Hit:1 http://deb.debian.org/debian bullseye InRelease
Ign:2 http://security.debian.org bullseye/updates InRelease
Get:3 http://deb.debian.org/debian bullseye/main Translation-en [6,241 kB]
Err:4 http://security.debian.org bullseye/updates Release                   
  404  Not Found [IP: 151.101.50.132 80]          
Reading package lists... Done                              
E: The repository 'http://security.debian.org bullseye/updates Release' does not have a Release f
ile.                                             
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.             

According to https://www.debian.org/security/ the sources.list security entry should have something like this:

deb http://security.debian.org/debian-security bullseye-security main contrib non-free

Rather than ${release}/updates

Looks like this line needs to change:

lxc-templates/templates/lxc-debian.in

Line 245 in 80ba0cb

${prefix} $SECURITY_MIRROR ${release}/updates main${non_main}

I edited the source.list to make sure this would work and the apt update was successful:

root@bullseye-test:~# cat /etc/apt/sources.list                                                  
deb http://deb.debian.org/debian          bullseye         main                                  
deb http://security.debian.org/ bullseye/updates main                                            
root@bullseye-test:~# sed -i "s|bullseye/updates|bullseye-security|" /etc/apt/sources.list       
root@bullseye-test:~# cat /etc/apt/sources.list                                                  
deb http://deb.debian.org/debian          bullseye         main                                 
deb http://security.debian.org/ bullseye-security main
root@bullseye-test:~# apt update                                                                 
Hit:1 http://deb.debian.org/debian bullseye InRelease                                            
Get:2 http://security.debian.org bullseye-security InRelease [44.1 kB]                           
Get:3 http://security.debian.org bullseye-security/main amd64 Packages [25.4 kB]                 
Get:4 http://security.debian.org bullseye-security/main Translation-en [12.5 kB]                 
Fetched 81.9 kB in 0s (244 kB/s)                             
Reading package lists... Done        
Building dependency tree... Done     
1 package can be upgraded. Run 'apt list --upgradable' to see it.

Let me know if you need any more information.

[gibmat]

I think that #42 essentially fixed this, although it then introduced a mirror issue for buster and earlier releases as their apt security URLs will be wrong.

Debian's packaging of lxc-templates includes a patch to perform better determination of which security URLs should be configured for apt. It hasn't been upstreamed because it depends on invoking debian-distro-info, which can be recommended in Debian's packaging but isn't necessarily available on arbitrary distros.