Re: Package source requirements for cloud images (Re: Debian images on Microsoft Azure cloud)
- To: Charles Plessy <plessy@debian.org>
- Cc: debian-cd@lists.debian.org, debian-cloud <debian-cloud@lists.debian.org>
- Subject: Re: Package source requirements for cloud images (Re: Debian images on Microsoft Azure cloud)
- From: Tiago Ilieve <tiago.myhro@gmail.com>
- Date: Wed, 2 Dec 2015 21:01:10 -0200
- Message-id: <[🔎] CALdTKe_ATM=RRK216tKRq-FHamYP+OfB47XPYNDHtmnV2Ex7Sw@mail.gmail.com>
- In-reply-to: <20151122051536.GB17195@falafel.plessy.net>
- References: <20151110193404.GA17819@ftbfs.de> <20151111145336.GF23293@einval.com> <CACFaiRzLXux0NZePFtoKjcNGPQKTSZT+h2W3vx5YJ9X0t-ms1g@mail.gmail.com> <20151118131226.GA24952@ftbfs.de> <20151120104152.9B4202C5@bendel.debian.org> <CAMcOGXEKdmGBYrrM++0HrWvRCdx1iBqTSRdTDSejQV5O3qemMA@mail.gmail.com> <CACFaiRzfDQmM3Je5LemftPU9wcD0gjF72R9mipnvmBcoyqMt7g@mail.gmail.com> <20151122051536.GB17195@falafel.plessy.net>
Hi Charles,
On 22 November 2015 at 03:15, Charles Plessy <plessy@debian.org> wrote:
> Regarding security and GPG signing, obviously it is essential that a "Debian"
> image is configured to only retreive packages from apt sources that are signed
> by Debian. But during the build process, while it is a best practice to use
> signed apt sources, does it have to be strictly mandatory, or can requirements
> regarding reproducibilty and auditability be enough to ensure that an image
> does not contain malwares, non-Free software or simply third-party programs
> that are not redistributed by Debian ?
What should we do about packages that are redistributed by Debian, but
needs to be recompiled/repackaged for any reason?
For instance, Oracle Compute Cloud Service[1] right now can't boot
images compressed with XZ (related to #699381[2]), so we have to
rebuild the kernel package changing the kernel compression to GZIP[3].
This is the solely modification the has to be done, but it results in
a package that was not built using Debian infrastructure nor is signed
by Debian.
Is there a possibility of having such package on a cloud image and
still call it as "Debian official"?
Regards,
Tiago.
[1]: https://cloud.oracle.com/en_US/compute
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699381
[3]: https://github.com/myhro/debian-linux-kernel-gzip/commit/a498e7a7fe3b0b9057530f1523f4c7604bfab7f1
--
Tiago "Myhro" Ilieve
Blog: https://blog.myhro.info/
GitHub: https://github.com/myhro
LinkedIn: https://br.linkedin.com/in/myhro
Montes Claros - MG, Brasil
Reply to: