Excerpts from Jeremy Stanley's message of 2017-05-16 17:41:28 +0000: > On 2017-05-16 11:17:31 -0400 (-0400), Doug Hellmann wrote: > > Excerpts from Sam Yaple's message of 2017-05-16 14:11:18 +0000: > [...] > > > If you build images properly in infra, then you will have an image that is > > > not security checked (no gpg verification of packages) and completely > > > unverifiable. These are absolutely not images we want to push to > > > DockerHub/quay for obvious reasons. Security and verification being chief > > > among them. They are absolutely not images that should ever be run in > > > production and are only suited for testing. These are the only types of > > > images that can come out of infra. > > > > This sounds like an implementation detail of option 3? I think not > > signing the images does help indicate that they're not meant to be used > > in production environments. > [...] > > I'm pretty sure Sam wasn't talking about whether or not the images > which get built are signed, but whether or not the package manager > used when building the images vets the distro packages it retrieves > (the Ubuntu package mirror we maintain in our CI doesn't have > "secure APT" signatures available for its indices so we disable that > security measure by default in the CI system to allow us to use > those mirrors). Point being, if images are built in the upstream CI > with packages from our Ubuntu package mirror then they are (at least > at present) not suitable for production use from a security > perspective for this particular reason even in absence of the other > concerns expressed.
Thanks for clarifying; that makes more sense. __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev