Hi,
On Wed Nov 11, 2015 at 12:01:01 +0100, Richard Hartmann wrote:
> Without any official hat, I agree with Md that the changes to the
> installed packages seem reasonable, as sparse as possible, and driven
> by technological necessity.
>
> I would like to see an official list of packages and checksums
> (ideally both SHA-512 and SHA 3-512 as compute & storage are cheap and
> using two families increases resilience significantly) & size of the
> base image and all files in the base install, sent to list and signed
> by a DD, though.
a "find / -exec sha3sum {} \; > logfile.log" should be easily doable.
> Putting said base image and signed list into a place
> where DSA can safe-guard it long-term would be the cherry on top.
> This seems to be reasonable in terms of actual effort and could help
> establish a baseline for a published list of known-good system states.
I would like to discuss that part with Steve McIntyre, but it sounds
doable, maybe not for the first round of publishing though.
> It's also a request which we could reasonably extend to everyone
> interested in publishing their images on the respective platforms,
> both retroactively and going forward.
I would suggest we open a seperate thread on the debian-cloud mailing
list for defining a list of official requirements for all vendors. As
long as we define the first version of that list i would suggest though
that those are nice to have for the Azure (and all other) images but
will not block us from releasing the images.
Cheers,
Martin
--
Martin Zobel-Helas
Technischer Leiter Betrieb
Tel.: +49 (2161) 4643-0
Fax: +49 (2161) 4643-100
E-Mail: martin.zobel-he...@credativ.de
pgp fingerprint: 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B
http://www.credativ.de
credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Hohenzollernstr. 133, 41061 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer
