Azure Marketplace has implemented new restrictions on Marketplace listings that will impact how we publish bullseye-backports. All v2 SKUs in a given plan must be published with the same security configuration (none or Trusted Launch, in our case). For most supported Debian releases, this is fine, as Trusted Launch is fully supported for all gen2 SKUs (amd64 and arm64 architectures, specifically). However, this is not the case with bullseye-backports.
For toolchain related reasons, bullseye didn't support UEFI Secure Boot on arm64, so the corresponding SKUs would need to be indicate this by providing a security setting of "none". Our amd64 images do support secure boot, so we publish those with the security setting of "Trusted Launch". With this new Marketplace restriction, these cannot be different SKUs within the same plan, so we need to move them to separate plans. Doing this will require user-visible changes. Within the 11-backports plan, we currently publish the following SKUs: * amd64 gen1 is published as 11-backports * amd64 gen2 is published as 11-backports-gen2 * arm64 gen2 is published as 11-backports-arm64 In order to support Microsoft's change, we need to move one or both of the gen2 SKUs to a new plan. SKUs cannot be re-used between plans, so doing this requires that we also introduce new SKUs for any listings that we publish under a different plan. Because SKUs are user-visible and are used to specify a particular image when launching a VM, this is a disruptive change. I believe the least disruptive path forward is: 1. We maintain the 11-backports plan with only amd64 SKUs in the future. This lets us leave the current amd64 SKUs unchanged so amd64 users do not need to take any action. 2. We introduce a new plan 11-backports-arm64-v2 that will contain only newly published arm64 images using a sku with the same name. Arm64 users will need to specify the new SKU when launching VMs. (Feel free to suggest a better name for the new plan/sku.) Any previously published images in the existing plan will continue to work, so this change will only impact new images published. The change will impact both the release and daily images. So new release images will have URNs something like Debian:debian-11:11-backports-arm64-v2:latest Where they currently are named Debian:debian-11:11-backports-arm64:latest In order to publish new images to the new plan, we will need to create the plan with appropriate parameters and then update the publication pipeline to specify the necessary plan ID when publishing 11-backports arm64 images. That can be implemented with the following change to the publication code: https://salsa.debian.org/noahm/debian-cloud-images/-/commit/c2e8a64c45474b12c99a90f543a267dd6aa17c9d Note that the standard non-backports bullseye release is not impacted because it does not support arm64 VMs at all. Only bullseye-backports is impacted. noah
