Yeah, we were originally considering fixing all of the individual templates but frankly it was just too much of a mess of bad patterns from a variety of different authors with no real consistency.
Instead what we came up with is distrobuilder (https://github.com/lxc/distrobuilder) which has now taken over image building duties for all the images we produce (https://images.linuxcontainers.org) and does have proper https and gpg support from the start. All images we produce are built using public YAML definitions that can be found in https://github.com/lxc/lxc-ci and all of those either rely on https for the download of the base tarball (which then contains what's needed for the package manager to safely fetch packages) or directly contain a custom GPG keyring that's exposed to the image build. The rest of the story is effectively the same as before, all builds happen on our infrastructure (https://jenkins.linuxcontainers.org), images are then pulled, validated and signed by a separate system which then pushes them to the image server. All artifacts are available through both valid https and gpg signed using the key that's baked into the lxc-download script. Back in LXC 3.0 we moved the legacy template scripts to their own repository at https://github.com/lxc/lxc-templates and they are now community maintained without security/lts commitments on them on our side. Ubuntu still ships lxc-templates but it does so in universe rather than main, matching the upstream commitment. ** Changed in: lxc (Ubuntu) Status: New => Fix Released ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1661447 Title: Arbitrary code execution in centos template To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
