Re: Package source requirements for cloud images (Re: Debian images on Microsoft Azure cloud)
- To: Charles Plessy <email@example.com>
- Cc: firstname.lastname@example.org, debian-cloud <email@example.com>
- Subject: Re: Package source requirements for cloud images (Re: Debian images on Microsoft Azure cloud)
- From: Tiago Ilieve <firstname.lastname@example.org>
- Date: Wed, 2 Dec 2015 21:01:10 -0200
- Message-id: <[🔎] CALdTKe_ATM=RRK216tKRq-FHamYP+OfB47XPYNDHtmnV2Ex7Sw@mail.gmail.com>
- In-reply-to: <20151122051536.GB17195@falafel.plessy.net>
- References: <20151110193404.GA17819@ftbfs.de> <20151111145336.GF23293@einval.com> <CACFaiRzLXux0NZePFtoKjcNGPQKTSZT+h2W3vx5YJ9X0temail@example.com> <20151118131226.GA24952@ftbfs.de> <20151120104152.9B4202C5@bendel.debian.org> <CAMcOGXEKdmGBYrrM++0HrWvRCdx1iBqTSRdTDSejQV5O3qemMA@mail.gmail.com> <CACFaiRzfDQmM3Je5LemftPU9wcD0gjF72R9mipnvmBcoyqMt7g@mail.gmail.com> <20151122051536.GB17195@falafel.plessy.net>
On 22 November 2015 at 03:15, Charles Plessy <firstname.lastname@example.org> wrote:
> Regarding security and GPG signing, obviously it is essential that a "Debian"
> image is configured to only retreive packages from apt sources that are signed
> by Debian. But during the build process, while it is a best practice to use
> signed apt sources, does it have to be strictly mandatory, or can requirements
> regarding reproducibilty and auditability be enough to ensure that an image
> does not contain malwares, non-Free software or simply third-party programs
> that are not redistributed by Debian ?
What should we do about packages that are redistributed by Debian, but
needs to be recompiled/repackaged for any reason?
For instance, Oracle Compute Cloud Service right now can't boot
images compressed with XZ (related to #699381), so we have to
rebuild the kernel package changing the kernel compression to GZIP.
This is the solely modification the has to be done, but it results in
a package that was not built using Debian infrastructure nor is signed
Is there a possibility of having such package on a cloud image and
still call it as "Debian official"?
Tiago "Myhro" Ilieve
Montes Claros - MG, Brasil