[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian images on Microsoft Azure cloud

Without any official hat, I agree with Md that the changes to the
installed packages seem reasonable, as sparse as possible, and driven
by technological necessity.

I would like to see an official list of packages and checksums
(ideally both SHA-512 and SHA 3-512 as compute & storage are cheap and
using two families increases resilience significantly) & size of the
base image and all files in the base install, sent to list and signed
by a DD, though. Putting said base image and signed list into a place
where DSA can safe-guard it long-term would be the cherry on top.
This seems to be reasonable in terms of actual effort and could help
establish a baseline for a published list of known-good system states.

It's also a request which we could reasonably extend to everyone
interested in publishing their images on the respective platforms,
both retroactively and going forward.


Reply to: