[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Proposal: Publishing Lifecycle Guidelines along with Cloud Images



Hi,

in a different thread on this mailing list it has been brought to our
attention, that the team producing the images, the team providing LTS
support for Debian and OUR USERS have different expectations on the
lifecycle and the security support of our cloud images.

I need to admit, that at least from my perspective we handled this not
the optimal way and upset several of our Debian members and our users.

While it is probably hard to change expectations to existing Jessie and
Stretch images, we might want to publish and announce a lifecycle and
security guideline along with our cloud images with the beginning of
buster.  Those guidelines could be a wiki page or a web page the various
cloud providers link from their marketplace platforms.

My personal guess is, that with a lifecycle guideline both we and our
users can do better planning, and our users are not suddenly surprised
by the absent of specific images on the various cloud providers
plattforms. Also, we can link to such a lifecycle guideline much better
when it exists!

A lifecycle guideline COULD look like this:

Stable Images for Buster (stable)
---------------------------------
The Debian Project will release it's new stable release 10 (Codename
Buster) along with images for various major cloud providers. Thus images
will be announced on the debian-cloud-announce@lists.debian.org mailing
list. Updates to those images will also be announced to this mailing
list.

All images (beside to the market place publication) are available for
download at https://images.debian.org/cloud/<codename>/XXX, including
link to build logs and a digital signature.

Security Support for Buster (stable) images
-------------------------------------------
Images will be respinned whenever a network facing service on those
images receives a public security update (via debian-security), 
whenever a major issue within those images is discovered or a kernel
update for those has been published via official debian channels.

For the convinience of our users our images are respinned approx. every
eight weeks to collect all the other security updates issued for
non-network facing security updates. Images will be no later be
respinned than a stable point release.

All changes to those images will be announced to the
debian-cloud-announce@lists.debian.org mailing list.

All images (beside to the market place publication) are available for
download at https://images.debian.org/cloud/<codename>/XXX, including
link to build logs and a digital signature.

Release of Bulls Eye (Debian 11)
--------------------------------
The Debian Project will continue to support Debian 10 images after the
publication of Debian 11 (Codename Bullseye) during Debian 10's official
security support cycle. 

Images will be respinned whenever a network facing service on those
images receives a public security update (via debian-security), 
whenever a major issue within those images is discovered or a kernel
update for those has been published via official debian channels.

For the convinience of our users our images are respinned approx. every
eight weeks to collect all the other security updates issued for
non-network facing security updates. Images will be no later be
respinned than a stable point release.

All changes to those images will be announced to the
debian-cloud-announce@lists.debian.org mailing list.

All images (beside to the market place publication) are available for
download at https://images.debian.org/cloud/<codename>/XXX, including
link to build logs and a digital signature.

End of Security Support of Debian 10
------------------------------------
With the end of the security support of Debian 10, the Debian Cloud team
will publish an 'End of Service (EoS)' announcement to the
debian-cloud-announce@lists.debian.org mailing list giving a 180 days
warning period of the disappearance of Debian 10 cloud images in the
according vendor marketplaces. This EoS mail will encourage our users to
switch to newer cloud images.

During this 180 days grace period images are respinned approx. every
3 months to collect all the security updates issued for Debian 10 via
the LTS team.

All changes to those images will be announced to the
debian-cloud-announce@lists.debian.org mailing list.

All images (beside to the market place publication) are available for
download at https://images.debian.org/cloud/<codename>/XXX, including
link to build logs and a digital signature.

Announcing End of Service
-------------------------
10 days before the EoS, the Debian cloud team will send a reminder to
the debian-cloud-announce@lists.debian.org mailing list to remind users
of the removal of the according images from the vendor market places.

This mail will also inform the users that the images are still
discoverable via direct link for an other 180 days from the specifc
vendors cloud storage, but no longer receive any updates from the Debian
cloud team. After those 180 days, the End of Lifetime is reached.

All images are available for download at
https://images.debian.org/cloud/<codename>/XXX, including link to build
logs and a digital signature.

Announcing End of Liftime
-------------------------
10 days before the End of Lifetime is reached, the cloud providers will
inform their users via their internal channels of the removal of the
cloud images from their specific storage.

All images are still available for download at
https://images.debian.org/cloud/<codename>/XXX, including link to build
logs and a digital signature.


As stated above, this is only a proposal that I have not shared with any
other person on the mailing list before sending it out. This is just an
idea. Please feel free to either turn that idea down, or send any
adjustments to it.

Best regards,
Martin
-- 
 Martin Zobel-Helas <zobel@debian.org>    Debian System Administrator
 Debian & GNU/Linux Developer                       Debian Listmaster
 http://about.me/zobel                               Debian Webmaster
 GPG Fingerprint:  6B18 5642 8E41 EC89 3D5D  BDBB 53B1 AC6D B11B 627B 

Attachment: signature.asc
Description: PGP signature


Reply to: