proposal: changes to bullseye-backports publication on azure

To: debian-cloud@lists.debian.org
Subject: proposal: changes to bullseye-backports publication on azure
From: Noah Meyerhans <noahm@debian.org>
Date: Fri, 21 Nov 2025 10:55:48 -0500
Message-id: <[🔎] aSCLhIOJsxk_DoIm@doom.morgul.net>
Mail-followup-to: Noah Meyerhans <noahm@debian.org>, debian-cloud@lists.debian.org

Azure Marketplace has implemented new restrictions on Marketplace
listings that will impact how we publish bullseye-backports. All v2 SKUs
in a given plan must be published with the same security configuration
(none or Trusted Launch, in our case). For most supported Debian
releases, this is fine, as Trusted Launch is fully supported for all
gen2 SKUs (amd64 and arm64 architectures, specifically). However, this
is not the case with bullseye-backports.

For toolchain related reasons, bullseye didn't support UEFI Secure Boot
on arm64, so the corresponding SKUs would need to be indicate this by
providing a security setting of "none". Our amd64 images do support
secure boot, so we publish those with the security setting of "Trusted
Launch". With this new Marketplace restriction, these cannot be
different SKUs within the same plan, so we need to move them to separate
plans. Doing this will require user-visible changes.

Within the 11-backports plan, we currently publish the following SKUs:

* amd64 gen1 is published as 11-backports
* amd64 gen2 is published as 11-backports-gen2
* arm64 gen2 is published as 11-backports-arm64

In order to support Microsoft's change, we need to move one or both of
the gen2 SKUs to a new plan. SKUs cannot be re-used between plans, so
doing this requires that we also introduce new SKUs for any listings
that we publish under a different plan. Because SKUs are user-visible
and are used to specify a particular image when launching a VM, this
is a disruptive change. I believe the least disruptive path forward
is:

1. We maintain the 11-backports plan with only amd64 SKUs in the future.
This lets us leave the current amd64 SKUs unchanged so amd64 users do
not need to take any action.

2. We introduce a new plan 11-backports-arm64-v2 that will contain
only newly published arm64 images using a sku with the same name.
Arm64 users will need to specify the new SKU when launching VMs. (Feel
free to suggest a better name for the new plan/sku.)

Any previously published images in the existing plan will continue to
work, so this change will only impact new images published.

The change will impact both the release and daily images.

So new release images will have URNs something like

Debian:debian-11:11-backports-arm64-v2:latest

Where they currently are named

Debian:debian-11:11-backports-arm64:latest

In order to publish new images to the new plan, we will need to create
the plan with appropriate parameters and then update the publication
pipeline to specify the necessary plan ID when publishing 11-backports
arm64 images. That can be implemented with the following change to the
publication code:

https://salsa.debian.org/noahm/debian-cloud-images/-/commit/c2e8a64c45474b12c99a90f543a267dd6aa17c9d

Note that the standard non-backports bullseye release is not impacted
because it does not support arm64 VMs at all. Only bullseye-backports
is impacted.

noah

Reply to:

Follow-Ups:
- Re: proposal: changes to bullseye-backports publication on azure
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: python-boto3_1.40.72-1_source.changes ACCEPTED into unstable
Next by Date: Re: proposal: changes to bullseye-backports publication on azure
Previous by thread: python-boto3_1.40.72-1_source.changes ACCEPTED into unstable
Next by thread: Re: proposal: changes to bullseye-backports publication on azure
Index(es):
- Date
- Thread