[-Removing [email protected] as undeliverable] On Thu, Jul 04, 2013 at 06:37:37PM -0400, Jimmy Kaplowitz wrote: > That said, currently the Google-specific startup scripts which are installed > in > Google Compute Engine images handle this correctly, removing all three types > of > keys on first boot (clearly a bit of the distro-independent logic there > overlaps with build-debian-cloud). Therefore the Google images shouldn't be > vulnerable. > > It would be great if someone reading this would test - I'm rushing to prepare > for holiday travel, but pushing out images in line with actual urgency can be > done from my trip. If you want to help more with Google Compute Engine images > but don't have access, send me a Google account and I can give you access to a > free-billing but shared/small-quota project.
Never mind, I forgot I had my personal laptop set up properly for Google Compute Engine. I just did a quick test, and two newly created Debian wheezy instances had different ECDSA host keys. So confirmed, our Google Compute Engine images aren't vulnerable. This reminds me, I realize I never announced 7.1 images here - I built them the Monday after release, and published them 2-3 days later following both manual and Google-internal validation. If you use --image=debian-7 when calling gcutil addinstance, you'll always get the latest Debian wheezy image on Google Compute Engine. - Jimmy Kaplowitz [email protected] -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
