[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian images on Microsoft Azure cloud

On 11/23/2015 01:28 AM, Steve McIntyre wrote:
> [ Apologies for delayed responses - massively busy in the last week
>   ... ]

No worries, and no hurry. :)

> On Thu, Nov 12, 2015 at 10:04:19PM +0100, Thomas Goirand wrote:
>> On 11/12/2015 07:58 PM, Bastian Blank wrote:
>>> Also none of the built stuff is updated regulary with security
>>> fixes.
>> If you think we should do more regular updates of the cloud images (ie:
>> more often than the point releases), then we can discuss this with
>> Steve. The shellshock and heartbleed holes for examples, were very valid
>> cases were an update of these images would have been desirable.
>> It would be a very good idea to trigger builds if there's a DSA on a
>> package included in the image. I don't think it'd be too hard to implement.
>> Steve, your thoughts on this specific problem?
> That's a very good question, and one I'll admit that I'd not paid much
> attention to. Unless the images are set up to auto-update at boot (is
> that a sensible thing? Do any of the published images do this?), we
> should definitely be updating/replacing our official images
> regularly. So... Should we just get into the habit of doing a rebuild
> once weekly/monthly? If you'd rather trigger on security bugs, a cron
> script to check the list of included packages for updates will be
> needed.

I very much would prefer the later for the stable image. And I'd be for
increasing the micro-version of the image in case of such an emergency
update. The recent heatbleed and shellshock proved it would be valuable
to not wait a week, and at the same time, generating a new image when no
package has a security fix is annoying.

Checking against the image list of package is easy, but how do you get
new packages for which a h was sent? Would you configure a new mailbox,
get it registered to the DSA announce list, and wire that to a script?
I'd know how to do that on my own server. But I just wonder if there's
an easier way.

> If we want truly responsive builds in that latter case, then we'll
> possibly need to change the signing that happens too. The existing
> debian-cd signatures are done by hand for the stable builds.

Hum... But you're not signing the cloud images, are you?


Thomas Goirand (zigo)

Reply to: