On Thu, Oct 01, 2020 at 05:16:36PM +0200, tkoeck wrote: > is there an AMI image ID that is always the recent one? > > As far as I have seen the AMI image ID always changes for every > subversion (e.g. Debian 10.0 to 10.1)? > > It would be interesting to have an AMI image ID which would always > represent the newest Debian 10 AMI image with all security updates > installed.
We publish updated AMIs (and images for other cloud services) when necessary, not just on stable point releases. You can see the history for buster and stretch AMIs at the following locations. Note especially the updates addressing DSAs for core packages such as the kernel, libc, or openssl. https://wiki.debian.org/Cloud/AmazonEC2Image/Buster and https://wiki.debian.org/Cloud/AmazonEC2Image/Stretch We don't necessarily publish updates for every package in the base image that gets an update. Many package updates are for relatively minor issues with a limited exposure. Cloud-init provides a simple mechanism allowing packages to be updated upon instance launch, and we run unattended-upgrades by default. Primarily, the packages that trigger an AMI update are packages that require a reboot in order to be effectively applied. I think our current approach provides a good balance between up-to-date contents and excessive churn. However, if you really want something more likely to be up-to-date, we generate images daily, and you can use them. You should understand that these daily builds are mostly intended for testing purposes, and they could disappear with little to no warning. See https://noah.meyerhans.us/2020/03/04/daily-vm-image-builds-are-available-from-the-cloud-team/ for details about where to find them. noah