Re: Security updates

[Noah Meyerhans <noahm@debian.org>]

Hi Tobias,

On Fri, Apr 05, 2019 at 06:22:47PM +0200, Tobias Koeck wrote:
>    I want to use the Debian Stretch AMI to use as an image for Kubernetes /
>    Kops base. As I have seen there are some updates with the image
>    [1]https://wiki.debian.org/Cloud/AmazonEC2Image/Stretch
>    - Do you implement all updates which are also included in the normal ISO
>    package release?

In general, the images are updated whenever a bundled package is updated
that requires a reboot in order to apply definitively. Kernel, glibc,
and openssl changes almost always fall under this category.

(Note that there's a pending kernel update on the published AMIs today,
but it fixes a boot issue on 32-bit ARM systems, and nothing else, so I
have not updated the AMIs to include it.)

>    - How long does it take to implement the security patches until it is in
>    the AMI?
>    - What happens with a critical security patch? Will it be implemented
>    immediately in the AMI?

Typically AMIs are updated on the same day that a security update is
available. In practice, until we have more automation in place for
performing AMI releases (which is a WIP), I'm the only one performing
updates, so my unavailability could delay publication.

>    - Is the Unattended Upgrade activated in the AMI?

yes

noah