Continuing http://unix.stackexchange.com/questions/541569 (which refers to the outdated Debian 10 and is unspecific/unclear in other ways, and the only answer to which is around 4 years old and at least partially unusable and inapplicable), while managing machines with Debian GNU/Linux 12 (bookworm), I noticed that one of them has, among other entries,
deb http://security.debian.org/debian-security stable-security main contrib non-free non-free-firmware
deb-src http://security.debian.org/debian-security stable-security main contrib non-free non-free-firmware
while another has
deb http://deb.debian.org/debian-security stable-security main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian-security stable-security main contrib non-free non-free-firmware
in their files /etc/apt/sources.list
.
What is the difference between the two servers? Is any of them outdated, obsolete, or deprecated? If not, when to use
deb(-src) http://security.debian.org/debian-security stable-security …
and when to use
deb(-src) http://deb.debian.org/debian-security stable-security …
? What's the official, proper security-updates server for Debian stable 12 “bookworm”?
The official Debian security FAQ mentions only debian.security.org and does not directly instruct the user to use this URL, whereas the user-maintained Wiki:SourcesList mentions only deb.debian.org; also, apparently, some of the mirrors behind the CDN of deb.debian.org sometimes redirect to security.debian.org or throw a 404 error. (Source: Stephen Kitt; thanks!)