From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id F09E11FF186 for ; Fri, 29 Aug 2025 10:20:17 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id D3E871F76D; Fri, 29 Aug 2025 10:20:26 +0200 (CEST) Mime-Version: 1.0 Date: Fri, 29 Aug 2025 10:19:53 +0200 Message-Id: To: "Thomas Lamprecht" , "Proxmox Backup Server development discussion" X-Mailer: aerc 0.20.0 References: <20250827142458.293270-1-s.sterz@proxmox.com> <6a260baa-8071-4505-8169-18fe3ad41f10@proxmox.com> In-Reply-To: <6a260baa-8071-4505-8169-18fe3ad41f10@proxmox.com> From: "Shannon Sterz" X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1756455585545 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.024 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com, proxmox-offline-mirror.rs] Subject: Re: [pbs-devel] [PATCH proxmox-offline-mirror] mirror: add support for trixie repositories X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" On Thu Aug 28, 2025 at 11:21 PM CEST, Thomas Lamprecht wrote: > On 27/08/2025 16:25, Shannon Sterz wrote: >> Signed-off-by: Shannon Sterz >> --- >> src/bin/proxmox-offline-mirror.rs | 99 +++++++++++++++++++++---------- >> 1 file changed, 69 insertions(+), 30 deletions(-) >> > >> @@ -353,6 +382,15 @@ fn action_add_mirror(config: &SectionConfigData) -> Result, Er >> >> // TODO enterprise query for key! >> let url = match (release, variant) { >> + (Release::Trixie, ProxmoxVariant::Enterprise) => format!( >> + "https://enterprise.proxmox.com/debian/{product} trixie {product}-enterprise" >> + ), >> + (Release::Trixie, ProxmoxVariant::NoSubscription) => format!( >> + "http://download.proxmox.com/debian/{product} trixie {product}-no-subscription" >> + ), >> + (Release::Trixie, ProxmoxVariant::Test) => { >> + format!("http://download.proxmox.com/debian/{product} trixie {product}test") > > Since trixie the test repo is also finally kebab-case, i.e. above needs to > use "... trixie {product}-test" ah true, somehow missed that, will fix that in a v2. thanks! >> + } >> (Release::Bookworm, ProxmoxVariant::Enterprise) => format!( >> "https://enterprise.proxmox.com/debian/{product} bookworm {product}-enterprise" >> ), >> @@ -390,6 +428,7 @@ fn action_add_mirror(config: &SectionConfigData) -> Result, Er >> }; >> >> let key = match release { >> + Release::Trixie => "/etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg", > > Only checking the diff not the full context, but should we use the > relatively new common archive keyring in /usr here? i was wondering whether we should switch to the ones under /usr in general too, but thought that i'd rather stick with this as both debian's and our keyring package seem to put the key in both places still anyway. but, i guess, the ones under `/etc/apt/trusted.gpg.d` could eventually be deprecated for security reasons (i.e. `apt` should maybe not trust our keys implicitly for *all* repos)? as for whether to use the archive keyring: i think pining the specific keys here should be preferred. this should limit the attack surface if a key does leak. if a key in the keyring leaks, all mirrors relying on that keyring are potentially in danger if we use the keyring here. if we use the specific key explicitly, the mirror is only in danger if its specific key has leaked. which is probably also easier to communicate to admins and so on. for systems that need to potentially go through major upgrades and regular key cycling and such, using the keyring does reduce the maintenance burden, though. however, that argument doesn't really apply to mirrors in my opinion, they only need to have a valid key when the snapshot is being taken. i'll send a v2 that switches the key to use the /usr and the fix for the kebab-casing. i'll also add a patch updating the docs, overlooked that here. >> Release::Bookworm => "/etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg", >> Release::Bullseye => "/etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg", >> Release::Buster => "/etc/apt/trusted.gpg.d/proxmox-release-buster.gpg", _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel