Re: Debian images on Microsoft Azure cloud

To: debian-cd@lists.debian.org
Cc: debian-cloud@lists.debian.org, debian-cd@lists.debian.org
Subject: Re: Debian images on Microsoft Azure cloud
From: Thomas Goirand <zigo@debian.org>
Date: Mon, 23 Nov 2015 23:16:11 +0100
Message-id: <[🔎] 5653902B.8040202@debian.org>
In-reply-to: <[🔎] 20151123002855.GK3638@einval.com>
References: <[🔎] 20151110193404.GA17819@ftbfs.de> <[🔎] CAD77+gTzr8qd5VVyUpWXBm94HvBhGdGYeO_XBH6Bmu=QhLDtHA@mail.gmail.com> <[🔎] 5644A8FB.3010902@debian.org> <[🔎] 20151112185830.GA2713@mail.waldi.eu.org> <[🔎] 5644FED3.2000109@debian.org> <[🔎] 20151123002855.GK3638@einval.com>

On 11/23/2015 01:28 AM, Steve McIntyre wrote:
> [ Apologies for delayed responses - massively busy in the last week
>   ... ]

No worries, and no hurry. :)

> On Thu, Nov 12, 2015 at 10:04:19PM +0100, Thomas Goirand wrote:
>> On 11/12/2015 07:58 PM, Bastian Blank wrote:
>>
>>> Also none of the built stuff is updated regulary with security
>>> fixes.
>>
>> If you think we should do more regular updates of the cloud images (ie:
>> more often than the point releases), then we can discuss this with
>> Steve. The shellshock and heartbleed holes for examples, were very valid
>> cases were an update of these images would have been desirable.
>>
>> It would be a very good idea to trigger builds if there's a DSA on a
>> package included in the image. I don't think it'd be too hard to implement.
>>
>> Steve, your thoughts on this specific problem?
> 
> That's a very good question, and one I'll admit that I'd not paid much
> attention to. Unless the images are set up to auto-update at boot (is
> that a sensible thing? Do any of the published images do this?), we
> should definitely be updating/replacing our official images
> regularly. So... Should we just get into the habit of doing a rebuild
> once weekly/monthly? If you'd rather trigger on security bugs, a cron
> script to check the list of included packages for updates will be
> needed.

I very much would prefer the later for the stable image. And I'd be for
increasing the micro-version of the image in case of such an emergency
update. The recent heatbleed and shellshock proved it would be valuable
to not wait a week, and at the same time, generating a new image when no
package has a security fix is annoying.

Checking against the image list of package is easy, but how do you get
new packages for which a h was sent? Would you configure a new mailbox,
get it registered to the DSA announce list, and wire that to a script?
I'd know how to do that on my own server. But I just wonder if there's
an easier way.

> If we want truly responsive builds in that latter case, then we'll
> possibly need to change the signing that happens too. The existing
> debian-cd signatures are done by hand for the stable builds.

Hum... But you're not signing the cloud images, are you?

Cheers,

Thomas Goirand (zigo)

Reply to:

References:
- Debian images on Microsoft Azure cloud
  - From: Martin Zobel-Helas <martin.zobel-helas@credativ.de>
- Re: Debian images on Microsoft Azure cloud
  - From: Richard Hartmann <richih.mailinglist@gmail.com>
- Re: Debian images on Microsoft Azure cloud
  - From: Thomas Goirand <zigo@debian.org>
- Re: Debian images on Microsoft Azure cloud
  - From: Bastian Blank <waldi@debian.org>
- Re: Debian images on Microsoft Azure cloud
  - From: Thomas Goirand <zigo@debian.org>
- Re: Debian images on Microsoft Azure cloud
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: Re: Debian images on Microsoft Azure cloud
Next by Date: Re: Debian images on Microsoft Azure cloud
Previous by thread: Re: Debian images on Microsoft Azure cloud
Next by thread: Re: Debian images on Microsoft Azure cloud
Index(es):
- Date
- Thread