What's the difference between security.debian.org/debian-security and deb.debian.org/debian-security for Debian 12?

Question

Continuing http://unix.stackexchange.com/questions/541569 (which refers to the outdated Debian 10 and is unspecific/unclear in other ways, and the only answer to which is around 4 years old and at least partially unusable and inapplicable), while managing machines with Debian GNU/Linux 12 (bookworm), I noticed that one of them has, among other entries,

deb http://security.debian.org/debian-security stable-security main contrib non-free non-free-firmware
deb-src http://security.debian.org/debian-security stable-security main contrib non-free non-free-firmware

while another has

deb http://deb.debian.org/debian-security stable-security main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian-security stable-security main contrib non-free non-free-firmware

in their files /etc/apt/sources.list.

What is the difference between the two servers? Is any of them outdated, obsolete, or deprecated? If not, when to use

deb(-src) http://security.debian.org/debian-security stable-security …

and when to use

deb(-src) http://deb.debian.org/debian-security stable-security …

? What's the official, proper security-updates server for Debian stable 12 “bookworm”?

The official Debian security FAQ mentions only debian.security.org and does not directly instruct the user to use this URL, whereas the user-maintained Wiki:SourcesList mentions only deb.debian.org; also, apparently, some of the mirrors behind the CDN of deb.debian.org sometimes redirect to security.debian.org or throw a 404 error. (Source: Stephen Kitt; thanks!)

Answer 1

The difference between security.debian.org and deb.debian.org is primarily in the infrastructure behind them.

security.debian.org is a traditional server that has been used for many years to distribute security updates for Debian.

On the other hand, deb.debian.org is a newer service that uses a content delivery network (CDN) to distribute packages. This means that when you connect to deb.debian.org, you are automatically directed to a server that is geographically close to you, which can result in faster download speeds.

As for security.debian.org/debian-security and deb.debian.org/debian-security, they both point to the same security updates. The difference is just in the server that you're downloading from.

Neither of them is outdated, obsolete, or deprecated. You can use either of them depending on your preference. If you want potentially faster download speeds due to the CDN, you can use deb.debian.org. If you prefer to use the traditional server, you can use security.debian.org.

The official security updates server for Debian stable 12 "bookworm" would be security.debian.org/debian-security as per the official Debian security FAQ. However, as mentioned, deb.debian.org/debian-security would work just as well.

As for the 404 errors or redirects you mentioned, these could be temporary issues with the CDN or specific mirrors. If you encounter these issues, you could try switching to the other server or reporting the issue to the Debian team.