Re: Updating images on GCE to address CVE-2014-0160
On Fri, Apr 11, 2014 at 11:34 AM, Tyler Riddle <email@example.com> wrote:
> It was suggested to me that a valid compromise would be to provide two GCE specific images. While I don't disagree that automatic updates of packages is a useful feature, I do disagree that the behavior is properly Debian/Wheezy. How about having two images available - the first image (head of the list, default choice, most obvious thing) is configured as has been proposed: newbie friendly and designed so that anyone, even people who have no idea what they are doing, can have some reasonable expectation of maintaining an up-to-date server. The image description should properly list it as "Debian/Wheezy GCE edition" and mention the behavior changes.
> The next image would be one for people who know what they are doing. This one could be labeled as "Debian/Wheezy" only. The behavior would match what a seasoned user of Debian would expect. People who know what they are doing will be able to read the image descriptions and select the correct image for their use case. Seasoned admins don't have to undo work that only exists because of others that don't know what they are doing.
> This is the first comprise I've seen yet that does not include changing the way things will be unpredictable. It seems reasonable to me.
This idea sounds good to me and would serve both sets of users, while
introducing a slight bit of confusion to GCE users about which to
choose, which I think is acceptable.
Hopefully having automatic security updates enabled for Debian 8 could
be considered in parallel as well.
> On Apr 11, 2014, at 9:29 AM, Mathieu Parent <firstname.lastname@example.org> wrote:
>> Cloud VMs
>> are very exposed and security updates should probably be opt-out
>> rather than opt-in.