Re: Updating images on GCE to address CVE-2014-0160
2014-04-11 22:18 GMT+02:00 Matt Alexander <matta@google.com>:
> On Fri, Apr 11, 2014 at 11:34 AM, Tyler Riddle <triddle@socialflow.com> wrote:
>> It was suggested to me that a valid compromise would be to provide two GCE specific images. While I don't disagree that automatic updates of packages is a useful feature, I do disagree that the behavior is properly Debian/Wheezy. How about having two images available - the first image (head of the list, default choice, most obvious thing) is configured as has been proposed: newbie friendly and designed so that anyone, even people who have no idea what they are doing, can have some reasonable expectation of maintaining an up-to-date server. The image description should properly list it as "Debian/Wheezy GCE edition" and mention the behavior changes.
>>
>> The next image would be one for people who know what they are doing. This one could be labeled as "Debian/Wheezy" only. The behavior would match what a seasoned user of Debian would expect. People who know what they are doing will be able to read the image descriptions and select the correct image for their use case. Seasoned admins don't have to undo work that only exists because of others that don't know what they are doing.
>>
>> This is the first comprise I've seen yet that does not include changing the way things will be unpredictable. It seems reasonable to me.
>
> This idea sounds good to me and would serve both sets of users, while
> introducing a slight bit of confusion to GCE users about which to
> choose, which I think is acceptable.
I agree.
> Hopefully having automatic security updates enabled for Debian 8 could
> be considered in parallel as well.
I have just started a discussion in -devel about this.
Should appear soon at:
https://lists.debian.org/debian-devel/2014/04/threads.html
Regards
--
Mathieu Parent
Reply to: