Re: Cloud team plans for cloud-hosted mirrors
On Fri, Jan 28, 2022 at 05:48:37PM +0900, Charles Plessy wrote:
> Le Tue, Jan 25, 2022 at 09:47:49PM -0800, Ross Vandegrift a écrit :
> > The cloud team wants to make folks aware of a possible change to the cloud
> > images. The team plans to register a new domain, debian.cloud
> Hi Ross and everybody,
> I understand that using debian.cloud is the simplest way to go, but on
> the other hand wouldn't it contribute to the confusion over what is an
> "official" Debian product or source?
Thanks for raising this question! I had this worry originally, but the team
talked me out of it. I've come to think that, with a bit of documentation, it
could reduce confusion from the current state.
Our official image requirements  do not constrain mirrors. Right now,
providers using a local mirror have sources.list modified during the build
process. So a user on Azure and AWS will see different things in sources.list.
If we migrate to a common zone, users will see the same suffix. That's true
whether it's a subzone of debian.org or a new second-level domain.
> The simplest message we can give to our users is that if it is from
> "debian.org", it is from us
Yes - but as Julien mentioned, DSA may have a stricter view of what "from us"
means. Their line (no new third-party services in debian.org) seems
reasonable. I don't know if we can promise that the cloud team will always run
all of these mirrors, so I don't think we can meet DSA's bar.
Sometimes, the issue might be complicated - providers employ team members to
deploy a mirror that they operate, or contract with team members' employers.
Is that mirror from us? What happens to the mirror's status if the person
leaves the cloud team, or the job? I'm not sure we'd have consensus on these
questions, even just inside of the cloud team.
> if it is from "debian.net" there is at least one DD involved, but no
> project-wide review
We considered this, but two properties make it unattractive:
1) debian.net names are tied to a single member's status
2) they can be edited by too many people
This is not robust or trustworthy enough for users.
> and if there is "debian" elsewhere in the name, there is strictly no
> guarantee that it is endorsed by us, and there is even the possibility that
> it is predatory.
While I agree there is no guarantee in general, are you concerned about a
delegated team providing it about a particular domain?
Hope that helps,
 - https://wiki.debian.org/Teams/DPL/OfficialImages