[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Package source requirements for cloud images (Re: Debian images on Microsoft Azure cloud)

> > On Fri, Nov 20, 2015 at 11:57 AM Narcis Garcia <debianlists@actiu.net>
> >> 
> >> "Official mirrors" shouldn't contain differences to debian.org
> >> repositories. Otherwise they should be named "Debian based" too.

> On Fri, Nov 20, 2015 at 7:04 PM, Anders Ingemann <anders@ingemann.de> wrote:
> >
> > Isn't that what we have GPG package signatures for? In the end, the real
> > showstopper would be the installation of public keys that are not controlled
> > by Debian. As long as I know that the only keys software is verified with
> > are official Debian ones I couldn't care less where I get my "data" from -
> > or at least that's how I think it should be, I am not pretending to know the
> > official stance on this.

Le Fri, Nov 20, 2015 at 09:30:29PM -0500, Brian Gupta a écrit :
> 
> Ok, I think I stand corrected. The requirement should then perhaps be, no
> third party keys? (I guess I was mistaken when I thought there was a known
> trust issue with third party repos, in that they could be configured to serve
> out-of-date packages to leave open backdoors into running servers.)

Hello everybody,

Indeed (and as discussed earlier in this thread), there are good reasons for
not making it mandatory to use "official mirrors".  Concerns over security will
better be adressed with requirements related to signed package sources.

For mirrors to be "official", they need to be accepted as such by the Debian
Mirrors Administrators.  They have guidelines listed on our website:
<https://www.debian.org/mirror/official#criteria>.  Thus, requesting that any
cloud image is made from official mirrors is likely to give them extra work,
therefore they should at least be consulted if we took that decision.  In any
case this looks highly impractical.

Regarding security and GPG signing, obviously it is essential that a "Debian"
image is configured to only retreive packages from apt sources that are signed
by Debian.  But during the build process, while it is a best practice to use
signed apt sources, does it have to be strictly mandatory, or can requirements
regarding reproducibilty and auditability be enough to ensure that an image
does not contain malwares, non-Free software or simply third-party programs
that are not redistributed by Debian ?

Have a nice Sunday,

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan
Reply to: