On 11/23/2015 01:28 AM, Steve McIntyre wrote: > [ Apologies for delayed responses - massively busy in the last week > ... ]
No worries, and no hurry. :) > On Thu, Nov 12, 2015 at 10:04:19PM +0100, Thomas Goirand wrote: >> On 11/12/2015 07:58 PM, Bastian Blank wrote: >> >>> Also none of the built stuff is updated regulary with security >>> fixes. >> >> If you think we should do more regular updates of the cloud images (ie: >> more often than the point releases), then we can discuss this with >> Steve. The shellshock and heartbleed holes for examples, were very valid >> cases were an update of these images would have been desirable. >> >> It would be a very good idea to trigger builds if there's a DSA on a >> package included in the image. I don't think it'd be too hard to implement. >> >> Steve, your thoughts on this specific problem? > > That's a very good question, and one I'll admit that I'd not paid much > attention to. Unless the images are set up to auto-update at boot (is > that a sensible thing? Do any of the published images do this?), we > should definitely be updating/replacing our official images > regularly. So... Should we just get into the habit of doing a rebuild > once weekly/monthly? If you'd rather trigger on security bugs, a cron > script to check the list of included packages for updates will be > needed. I very much would prefer the later for the stable image. And I'd be for increasing the micro-version of the image in case of such an emergency update. The recent heatbleed and shellshock proved it would be valuable to not wait a week, and at the same time, generating a new image when no package has a security fix is annoying. Checking against the image list of package is easy, but how do you get new packages for which a h was sent? Would you configure a new mailbox, get it registered to the DSA announce list, and wire that to a script? I'd know how to do that on my own server. But I just wonder if there's an easier way. > If we want truly responsive builds in that latter case, then we'll > possibly need to change the signing that happens too. The existing > debian-cd signatures are done by hand for the stable builds. Hum... But you're not signing the cloud images, are you? Cheers, Thomas Goirand (zigo)