Hi,
I was playing around with VyOS and thought i'd build myself an iso and hit this issue. Not sure if its the correct way to solve it, but this is what I did:

• Modify scripts/live-build-config and changed it from --backports true to --backports false
• Modify data/defaults.json and add "deb [arch=amd64] http://archive.debian.org/debian buster-backports main non-free" as an extra line into additional_repositories

After that i re-ran ./configure and make iso and it generated sucessfully.

It looks like the issue is likely with the Debian live-build utility as it seems to be the thing which adds the backports line incorrectly into sources.list.

This is the result of buster-backports being removed from the main repository server: https://backports.debian.org/news/Removal_of_buster-backports_from_the_debian_archive/

This can be solved by just changing the line in defaults.json. I've opened https://github.com/vyos/vyos-build/pull/572 to correct this.

Meanwhile, trying to build 1.4 fails for a different reason - Debian 12 (bookworm) is still where it was, but sagitta-packages.vyos.net gives a 403 error:

[2024-04-24 21:15:56] lb bootstrap_archives
P: Configuring file /etc/apt/sources.list
Get:1 http://security.debian.org/debian-security buster/updates InRelease [34.8 kB]
Get:2 https://repo.saltproject.io/py3/debian/11/amd64/3005 bullseye InRelease [2853 B]
Hit:3 http://deb.debian.org/debian bookworm InRelease
Get:5 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:6 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:7 http://security.debian.org/debian-security buster/updates/main amd64 Packages [596 kB]
Get:8 http://deb.debian.org/debian bookworm-backports InRelease [56.5 kB]
Get:9 http://deb.debian.org/debian buster InRelease [122 kB]
Err:4 https://sagitta-packages.vyos.net sagitta InRelease

403  Forbidden [IP: 2606:4700::6812:1e4f 443]

Get:10 http://deb.debian.org/debian buster-updates InRelease [56.6 kB]

...

Reading package lists... Done
E: Failed to fetch http://dev.packages.vyos.net/repositories/sagitta/dists/sagitta/InRelease 403 Forbidden [IP: 2606:4700::6812:1e4f 443]
E: The repository 'http://dev.packages.vyos.net/repositories/sagitta sagitta InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
N: Repository 'Debian bookworm' changed its 'non-free component' value from 'non-free' to 'non-free non-free-firmware'
N: More information about this can be found online in the Release notes at: https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.html#non-free-split
E: An unexpected failure occurred, exiting...
P: Begin unmounting filesystems...
P: Saving caches...
Reading package lists... Done
Building dependency tree... Done

In addition, the "repository is not signed" warning looks worrying - bad things could happen if it was ever compromised and some binary package replaced with malicious one by a bad actor.
As the xz backdoor has shown, such things could be well hidden even in open source code, but still easier to hide in binary packages so I'm not sure if images built from this can really be trusted.
If some packages not from Debian are needed, it would be better to be able to rebuild them from source, with the necessary build scripts and patches hosted at GitHub too.

And. when I try to access the repo URL with a web browser, I'm greeted by an error message from Cloudflare, which doesn't seem to make sense either (I have tried from different IPs and the result is the same, even if it was the first access from that IP address, so no attack could possibly be detected):

Sorry, you have been blocked
You are unable to access vyos.net
Why have I been blocked?

This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
What can I do to resolve this?

You can email the site owner to let them know you were blocked. Please include what you were doing when this page came up and the Cloudflare Ray ID found at the bottom of this page.

Cloudflare Ray ID: 87987d4b1d2934dc • Your IP:

• Performance & security by Cloudflare

If it's just a glitch at Cloudflare (has been for at least 24 hours now) please consider this report to be "email the site owner" mentioned above. I'm sure I haven't done anything that could be expected to trigger any security solution.

Unfortunately not yet resolved for 1.4 - now reported separately here https://vyos.dev/T6264