Debian 10 installer does not use deb.debian.org for everything – it also uses security.debian.org. Is this a good idea to follow for Debian 10?

Question

I noticed fresh installs of Debian 10 use a CDN to download packages, called deb.debian.org. This is a friendlier default than using country-specific mirrors, like ftp.uk.debian.org.

I looked at https://deb.debian.org. It says it can be also used for security updates, i.e., debian-security. I changed my /etc/apt/sources.list to use deb.debian.org, including for security updates.

However, now I think I made a mistake. I noticed a fresh install of Debian 10 still uses security.debian.org for security updates.

Question

Is there any additional information to help resolve this and decide which source I should use?

$ cat /etc/apt/sources.list
#
deb cdrom:[Official Debian GNU/Linux Live 10.0.0 standard 2019-07-06T10:36]/ buster main
#deb cdrom:[Official Debian GNU/Linux Live 10.0.0 standard 2019-07-06T10:36]/ buster main
deb http://deb.debian.org/debian/ buster main
deb-src http://deb.debian.org/debian/ buster main
deb http://security.debian.org/debian-security buster/updates main
deb-src http://security.debian.org/debian-security buster/updates main
buster-updates, previously known as 'volatile'
deb http://deb.debian.org/debian/ buster-updates main
deb-src http://deb.debian.org/debian/ buster-updates main
This system was installed using small removable media
(e.g. netinst, live or single CD). The matching "deb cdrom"
entries were disabled at the end of the installation process.
For information about how to configure apt package sources,
see the sources.list(5) manual.

score 6 · Answer 1 · edited Jun 02 '20 at 07:34

According to the current Debian security FAQ, we should use security.debian.org for security updates.

Q: Why are there no official mirrors for security.debian.org?

A: Actually, there are. There are several official mirrors, implemented through DNS aliases. The purpose of security.debian.org is to make security updates available as quickly and easily as possible.

Encouraging the use of unofficial mirrors would add extra complexity that is usually not needed and that can cause frustration if these mirrors are not kept up to date.

Although http://deb.debian.org mentions deb.debian.org/debian-security, it does not provide any specific argument to prefer it, or to contradict the security team.

Similarly, although it is also shown in https://wiki.debian.org/SourcesList, no rationale is given to contradict the above.

Overall, security.debian.org is recommended by:

debian-live-10.0.0-amd64-standard.iso - the specific download I used to install Debian 10.
https://www.debian.org/security/
https://www.debian.org/security/faq#mirror
The official (but outdated) Securing Debian Manual

One point in favour of deb.debian.org is that it is set up to support https, if the user sets this prefix in repository urls - security.debian.org is not. (Debian Wiki: SourcesList)

As to whether https gives the user any additional benefit, it depends what they are trying to achieve (e.g. 1, 2, 3).

Debian 10 installer does not use deb.debian.org for everything – it also uses security.debian.org. Is this a good idea to follow for Debian 10?

Question

deb cdrom:[Official Debian GNU/Linux Live 10.0.0 standard 2019-07-06T10:36]/ buster main

buster-updates, previously known as 'volatile'

This system was installed using small removable media

(e.g. netinst, live or single CD). The matching "deb cdrom"

entries were disabled at the end of the installation process.

For information about how to configure apt package sources,

see the sources.list(5) manual.

1 Answers1