Re: Updating images on GCE to address CVE-2014-0160
2014-04-11 15:47 GMT+02:00 Tyler Riddle <email@example.com>:
>> However, given that there is no consensus on this, I am wondering what's the best way to move forward on this.
> Best case: don't enable automatic updates. Specifically don't have the images perform any action that the stock OS install media will not do. In fact the goal of the Debian Cloud project should be to write the bare minimum additional integration required to support operation on the cloud so that a Debian based OS is consistent and uniform.
> Please do not attempt to think for users. Please do not attempt to create a cloud OS. Please coordinate with the CD and DVD image release team to learn how to test and avoid the severe mistakes that have happened with the cloud releases. Please leave Debian alone.
Maybe this should be discussed with the security team? Having the
Debian cloud images insecure by default is not very good. Cloud VMs
are very exposed and security updates should probably be opt-out
rather than opt-in.