Hi, On Wed Nov 11, 2015 at 15:18:51 -0500, Brian Gupta wrote: > (Note: Although some of you may know that I am a member of the Debian TM > team, I am raising the following issues as a long-time participant in the > debian-cloud group/mailing-list. I also apologize upfront for the length of > this email, and for any inevitable omissions.) I see some conflict of interest here, but i will answer the technical questions. First of all, i want to stress out, that i didn't request the trademark for the name "Official Debian images on Microsoft Azure cloud". I am happy to help here that we, at some future point, might reach that status, but as per discussion (where never a final decission was made!) during DebConf15 we mostly agreed that we should be careful what we call "Official Debian". Therefor we would like to use "Debian Jessie/Debian Wheezy build for Microsoft Azure". > 1) the image includes only software available in Debian [2] Check. Our image only includes software available in Debian, except waagent. waagent is available in Debian itself, but not the version we currently need for the image, see my initial mail for more information. > 2) the image generation process is controlled solely by Debian [2] Check. Only DD have write access to the Jenkins instance used to generate images and control the scripts used by the process. Apart from the usual vendor operation staff, of cause. > 3) the image is generated using tools available in Debian, or maintained [2] > by Debian Check. The tools are maintained by DD. > 4) Only DFSG-compliant Software in the image. Only main enabled, with > perhaps a temporary exception for backports [3], for specific enablement > software Check. > 6) the images most provide a user experience (in terms of default > choice of packages, or of default configuration) identical to other >means of installing Debian. Differences must be documented and justified. >[4] Check. > 7) Debian kernel [5] Check. For Wheezy we need to use the kernel from backports. > 8) Built using Debian infrastructure [6] (I think this should be modified to > have a caveat, "to as much an extent as possible") In general I support this idea. But for the current process of building those images is based on a contract our company have with Microsoft. This would violated the DMUP that clearly says: "Don't use Debian Facilities for private financial gain or for commercial purposes, including consultancy or any other work outside the scope of official duties or functions for the time being, without specific authorization to do so." The process of modifing the DMUP should be discussed elsewhere. The publishing of images requires login credentials to the vendors publishing API. In most cases those credentials are in some way linked to credit card data.... Do I really need to say more? Currently building images for whatever vendor requires root permissions on debian.org boxes. While I have them, using them would be an abuse of my DSA position. Also we eat our own dogfood and use Azure images to build Azure images. > There are other considerations as well that I'm not sure if we've addressed > before. > > 1) Should we require that the images only point to Debian repos, and/or > official > mirrors? If not, what are the requirements here? That idea is complete nonsense. a) We have several layers of checksums and cryptographical signatures on the Debian archive and apt requiring the correct archive signing keys, so apt would start to complain immediately. What we could do as requirement is that every vendor needs to list all imported keys from "apt-key list" in the published build log of the image. b) In most cases vendors offering Debian run mirrors internally, which are available with much better connection than our official ones. Those can be verified by apt (see (a)). Cloud vendors usually bill for external traffic, sometimes only one direction, sometimes both. So your idea would result in our users needing to pay even more money to the cloud vendors. While the cloud vendors might support your idea, I personaly (without any hat on) think it is a very bad idea. > 2) Require public review of images/plans (where? I think debian-cloud > and debian-cd are the right places, but there may be others) I like the idea in general. Will we be able to support the review process for all different vendors? Will we be able to verify images / review images for cloud systems that are not that widely used as Azure, AWS, GCE or Openstack? > 4) Documentation? Is it enough to just put it in wiki.d.o, in the cloud > section? started on https://wiki.debian.org/MicrosoftAzure. > Other questions: > > 1) bootstrap-vz is used to build the AWS and GCE images. bootstrap-vz has > also had support for Azure for at least two years. Is there a reason the > same tool wasn't used? The answer to this is quite simple: At the time we started to create images for Azure, bootstrap-vz was not in shape for generating Azure images that worked. For the demonstration purpose during DebConf15 we needed an image and Thomas openstack-debian-images script generated an image that was more or less out of the box usable for Azure. So we continued to use that script. Long term we plan to support both scripts. Best regards, Martin -- Martin Zobel-Helas Technischer Leiter Betrieb Tel.: +49 (2161) 4643-0 Fax: +49 (2161) 4643-100 E-Mail: martin.zobel-helas@credativ.de pgp fingerprint: 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B http://www.credativ.de credativ GmbH, HRB Mönchengladbach 12080 USt-ID-Nummer: DE204566209 Hohenzollernstr. 133, 41061 Mönchengladbach Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer
Attachment:
signature.asc
Description: PGP signature