Bug#971545: cloud.debian.org: Provide AMI image ID that is always recent

[Noah Meyerhans <noahm@debian.org>]

On Thu, Oct 01, 2020 at 05:16:36PM +0200, tkoeck wrote:
> is there an AMI image ID that is always the recent one?
> 
> As far as I have seen the AMI image ID always changes for every
> subversion (e.g. Debian 10.0 to 10.1)?
> 
> It would be interesting to have an AMI image ID which would always
> represent the newest Debian 10 AMI image with all security updates
> installed.

We publish updated AMIs (and images for other cloud services) when
necessary, not just on stable point releases.  You can see the history
for buster and stretch AMIs at the following locations.  Note especially
the updates addressing DSAs for core packages such as the kernel, libc,
or openssl.

https://wiki.debian.org/Cloud/AmazonEC2Image/Buster and
https://wiki.debian.org/Cloud/AmazonEC2Image/Stretch

We don't necessarily publish updates for every package in the base image
that gets an update.  Many package updates are for relatively minor
issues with a limited exposure.  Cloud-init provides a simple mechanism
allowing packages to be updated upon instance launch, and we run
unattended-upgrades by default.  Primarily, the packages that trigger an
AMI update are packages that require a reboot in order to be effectively
applied.

I think our current approach provides a good balance between up-to-date
contents and excessive churn.  However, if you really want something
more likely to be up-to-date, we generate images daily, and you can use
them.  You should understand that these daily builds are mostly intended
for testing purposes, and they could disappear with little to no
warning.  See
https://noah.meyerhans.us/2020/03/04/daily-vm-image-builds-are-available-from-the-cloud-team/
for details about where to find them.

noah