Le mardi, 29 avril 2014, 13.46:44 Paul Tagliamonte a écrit : > On Tue, Apr 29, 2014 at 06:38:34PM +0200, Didier Raboud wrote: > > please consider shipping Debian docker.io pre-built images in proper > > Debian packages. Having "stable" pre-built images in Debian > > packages ensures a trust link within the distribution. I'm not > > happy with the increasing incentive to download distribution images > > across untrusted links (although index.docker.io at least runs over > > HTTPS). > > I totally agree. I've been pushing for docker upstream to adopt > OpenPGP signatures on images, but it looks like they want to go with > SSL Certs. Once those are in place, I'm happy to provide a > pseudo-official image.
Well, sorry to nitpick, but having Debian's docker.io package ship a public key to trustfully download non-free distribution images wouldn't make it overly better. Debian users have a trust link with the Debian binary packages as shipped in the distro, but there's no good reason to extend that trust to what docker.io upstream built: we're talking about _big_ archives full of _binaries_ (for which there is strictly no freeness or trustworthiness warranties!) that then run on our machines! Similar to what we do for debian-installer-netboot-images, I was thinking we could have (at least for Debian docker.io containers) something like: # apt install docker.io-image-debian-wheezy This package would contain a docker.io image built on buildds, updated on point-releases. > However, a better and more sustainable solution here is to ship a > script to create a Debian image via debootstrap. Something small and > auditable. Le mardi, 29 avril 2014, 21.59:49 Jan Wagner a écrit : > Did you have a look into > /usr/share/docker.io/contrib/mkimage-debootstrap.sh? You can generate > your own image via debootstrap. There's that, at least. It should get it's .sh postfix removed, get updated to support more than amd64 and be shipped as /usr/bin/docker.io- mkimage-debootstrap for example. > I'd been considering a script to take an sbuild tarball => docker > image. I've not done it yet, but this bug is good motiviation. Yay. > I'll see if there's something I can do to help :) Yay². Cheers, OdyX -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org