Re: EC2 images
[-Removing kula@d.o as undeliverable]
On Thu, Jul 04, 2013 at 06:37:37PM -0400, Jimmy Kaplowitz wrote:
> That said, currently the Google-specific startup scripts which are installed in
> Google Compute Engine images handle this correctly, removing all three types of
> keys on first boot (clearly a bit of the distro-independent logic there
> overlaps with build-debian-cloud). Therefore the Google images shouldn't be
> vulnerable.
>
> It would be great if someone reading this would test - I'm rushing to prepare
> for holiday travel, but pushing out images in line with actual urgency can be
> done from my trip. If you want to help more with Google Compute Engine images
> but don't have access, send me a Google account and I can give you access to a
> free-billing but shared/small-quota project.
Never mind, I forgot I had my personal laptop set up properly for Google
Compute Engine. I just did a quick test, and two newly created Debian wheezy
instances had different ECDSA host keys. So confirmed, our Google Compute
Engine images aren't vulnerable.
This reminds me, I realize I never announced 7.1 images here - I built them the
Monday after release, and published them 2-3 days later following both manual
and Google-internal validation. If you use --image=debian-7 when calling gcutil
addinstance, you'll always get the latest Debian wheezy image on Google Compute
Engine.
- Jimmy Kaplowitz
jimmy@debian.org
Reply to: