Yeah, we were originally considering fixing all of the individual
templates but frankly it was just too much of a mess of bad patterns
from a variety of different authors with no real consistency.
Instead what we came up with is distrobuilder
(https://github.com/lxc/distrobuilder) which has now taken over image building
duties for all the images we produce (https://images.linuxcontainers.org) and
does have proper https and gpg support from the start.
All images we produce are built using public YAML definitions that can
be found in https://github.com/lxc/lxc-ci and all of those either rely
on https for the download of the base tarball (which then contains
what's needed for the package manager to safely fetch packages) or
directly contain a custom GPG keyring that's exposed to the image build.
The rest of the story is effectively the same as before, all builds happen on
our infrastructure (https://jenkins.linuxcontainers.org), images are then
pulled, validated and signed by a separate system which then pushes them to the
image server. All artifacts are available through both valid https and gpg
signed using the key that's baked into the lxc-download script.
Back in LXC 3.0 we moved the legacy template scripts to their own
repository at https://github.com/lxc/lxc-templates and they are now
community maintained without security/lts commitments on them on our
side. Ubuntu still ships lxc-templates but it does so in universe rather
than main, matching the upstream commitment.
** Changed in: lxc (Ubuntu)
Status: New => Fix Released
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1661447
Title:
Arbitrary code execution in centos template
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs