Re: Package source requirements for cloud images (Re: Debian images on Microsoft Azure cloud)

[Tiago Ilieve <tiago.myhro@gmail.com>]

Hi Charles,

On 22 November 2015 at 03:15, Charles Plessy <plessy@debian.org> wrote:

> Regarding security and GPG signing, obviously it is essential that a "Debian"
> image is configured to only retreive packages from apt sources that are signed
> by Debian.  But during the build process, while it is a best practice to use
> signed apt sources, does it have to be strictly mandatory, or can requirements
> regarding reproducibilty and auditability be enough to ensure that an image
> does not contain malwares, non-Free software or simply third-party programs
> that are not redistributed by Debian ?

What should we do about packages that are redistributed by Debian, but
needs to be recompiled/repackaged for any reason?

For instance, Oracle Compute Cloud Service[1] right now can't boot
images compressed with XZ (related to #699381[2]), so we have to
rebuild the kernel package changing the kernel compression to GZIP[3].
This is the solely modification the has to be done, but it results in
a package that was not built using Debian infrastructure nor is signed
by Debian.

Is there a possibility of having such package on a cloud image and
still call it as "Debian official"?

Regards,
Tiago.

[1]: https://cloud.oracle.com/en_US/compute
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699381
[3]: https://github.com/myhro/debian-linux-kernel-gzip/commit/a498e7a7fe3b0b9057530f1523f4c7604bfab7f1

-- 
Tiago "Myhro" Ilieve
Blog: https://blog.myhro.info/
GitHub: https://github.com/myhro
LinkedIn: https://br.linkedin.com/in/myhro
Montes Claros - MG, Brasil