[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian images on Microsoft Azure cloud


On Wed Nov 11, 2015 at 12:01:01 +0100, Richard Hartmann wrote:
> Without any official hat, I agree with Md that the changes to the
> installed packages seem reasonable, as sparse as possible, and driven
> by technological necessity.
> I would like to see an official list of packages and checksums
> (ideally both SHA-512 and SHA 3-512 as compute & storage are cheap and
> using two families increases resilience significantly) & size of the
> base image and all files in the base install, sent to list and signed
> by a DD, though. 

a "find / -exec sha3sum {} \; > logfile.log" should be easily doable.

>                   Putting said base image and signed list into a place
> where DSA can safe-guard it long-term would be the cherry on top.
> This seems to be reasonable in terms of actual effort and could help
> establish a baseline for a published list of known-good system states.

I would like to discuss that part with Steve McIntyre, but it sounds
doable, maybe not for the first round of publishing though.

> It's also a request which we could reasonably extend to everyone
> interested in publishing their images on the respective platforms,
> both retroactively and going forward.

I would suggest we open a seperate thread on the debian-cloud mailing
list for defining a list of official requirements for all vendors. As
long as we define the first version of that list i would suggest though
that those are nice to have for the Azure (and all other) images but
will not block us from releasing the images.

Martin Zobel-Helas
Technischer Leiter Betrieb
Tel.:   +49 (2161) 4643-0
Fax:    +49 (2161) 4643-100
E-Mail: martin.zobel-helas@credativ.de
pgp fingerprint: 6B18 5642 8E41 EC89 3D5D  BDBB 53B1 AC6D B11B 627B

credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Hohenzollernstr. 133, 41061 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer

Reply to: