On Mon, Jul 15, 2013 at 12:21:11PM -0600, Kevin Fenzi wrote: > On Mon, 15 Jul 2013 13:40:18 -0400 > Matthew Miller <mat...@fedoraproject.org> wrote: > > > On Mon, Jul 15, 2013 at 05:05:47PM +0100, Daniel P. Berrange wrote: > > > IMHO a publicised security update policy for cloud images should be > > > a 'must have' prior to promoting the images as 1st class citizens > > > supported by Fedora. > > > > That seems reasonable. I'll talk to the security team. > > And QA and releng? ;) > > I'm worried about the additional work this might cause unless we are > very narrow in what requires an image update. Is it: > > * Security update in any package in the cloud image? > > or > > * Security update in any package in the cloud image that is 'remote' > vulnerabilty? > > or > > * Security update in any exposed package with a remote vulnerability? > (ie, kernel and openssh and firewalld or the like). > > or something else?
The answer depends on what threats we're trying to protect against. The most basic requirement I'd say is that it needs to be possible for live images to be booted in a cloud with publically routed network connectivity. The admin needs to be able to login & run a yum update without the image being at risk of compromise prior to this completing. We do /not/ need to protect against non-admin users logging with malicious intent prior to the admin yum updating. This would say that either the 2nd or 3rd options you describe would be the target, the 3rd if we want to be really strict & constrain the resources spent on producing updates. FWIW, as a point of reference, Ubuntu seem to publish refreshed cloud images every few days http://cloud-images.ubuntu.com/quantal/ This seems to suggest that they're rebuilding their images when any package changes at all, not just security updates. > We've never provided updated live images down the road for security > issues. I understand cloud is a bit different, but we need to be clear > on the scope, IMHO. Yep, absolutely Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
