[pbs-devel] [PATCH proxmox-offline-mirror] mirror: add support for trixie repositories
Shannon Sterz
s.sterz at proxmox.com
Fri Aug 29 10:19:53 CEST 2025
On Thu Aug 28, 2025 at 11:21 PM CEST, Thomas Lamprecht wrote:
> On 27/08/2025 16:25, Shannon Sterz wrote:
>> Signed-off-by: Shannon Sterz <s.sterz at proxmox.com>
>> ---
>> src/bin/proxmox-offline-mirror.rs | 99 +++++++++++++++++++++----------
>> 1 file changed, 69 insertions(+), 30 deletions(-)
>>
>
>> @@ -353,6 +382,15 @@ fn action_add_mirror(config: &SectionConfigData) -> Result<Vec<MirrorConfig>, Er
>>
>> // TODO enterprise query for key!
>> let url = match (release, variant) {
>> + (Release::Trixie, ProxmoxVariant::Enterprise) => format!(
>> + "https://enterprise.proxmox.com/debian/{product} trixie {product}-enterprise"
>> + ),
>> + (Release::Trixie, ProxmoxVariant::NoSubscription) => format!(
>> + "http://download.proxmox.com/debian/{product} trixie {product}-no-subscription"
>> + ),
>> + (Release::Trixie, ProxmoxVariant::Test) => {
>> + format!("http://download.proxmox.com/debian/{product} trixie {product}test")
>
> Since trixie the test repo is also finally kebab-case, i.e. above needs to
> use "... trixie {product}-test"
ah true, somehow missed that, will fix that in a v2. thanks!
>> + }
>> (Release::Bookworm, ProxmoxVariant::Enterprise) => format!(
>> "https://enterprise.proxmox.com/debian/{product} bookworm {product}-enterprise"
>> ),
>> @@ -390,6 +428,7 @@ fn action_add_mirror(config: &SectionConfigData) -> Result<Vec<MirrorConfig>, Er
>> };
>>
>> let key = match release {
>> + Release::Trixie => "/etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg",
>
> Only checking the diff not the full context, but should we use the
> relatively new common archive keyring in /usr here?
i was wondering whether we should switch to the ones under /usr in
general too, but thought that i'd rather stick with this as both
debian's and our keyring package seem to put the key in both places
still anyway. but, i guess, the ones under `/etc/apt/trusted.gpg.d`
could eventually be deprecated for security reasons (i.e. `apt` should
maybe not trust our keys implicitly for *all* repos)?
as for whether to use the archive keyring: i think pining the specific
keys here should be preferred. this should limit the attack surface if a
key does leak. if a key in the keyring leaks, all mirrors relying on
that keyring are potentially in danger if we use the keyring here. if we
use the specific key explicitly, the mirror is only in danger if its
specific key has leaked. which is probably also easier to communicate to
admins and so on.
for systems that need to potentially go through major upgrades and
regular key cycling and such, using the keyring does reduce the
maintenance burden, though. however, that argument doesn't really apply
to mirrors in my opinion, they only need to have a valid key when the
snapshot is being taken.
i'll send a v2 that switches the key to use the /usr and the fix for the
kebab-casing. i'll also add a patch updating the docs, overlooked that
here.
>> Release::Bookworm => "/etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg",
>> Release::Bullseye => "/etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg",
>> Release::Buster => "/etc/apt/trusted.gpg.d/proxmox-release-buster.gpg",
More information about the pbs-devel
mailing list