[ Apologies for delayed responses - massively busy in the last week ... ]
On Thu, Nov 12, 2015 at 10:04:19PM +0100, Thomas Goirand wrote: >On 11/12/2015 07:58 PM, Bastian Blank wrote: > >> Also none of the built stuff is updated regulary with security >> fixes. > >If you think we should do more regular updates of the cloud images (ie: >more often than the point releases), then we can discuss this with >Steve. The shellshock and heartbleed holes for examples, were very valid >cases were an update of these images would have been desirable. > >It would be a very good idea to trigger builds if there's a DSA on a >package included in the image. I don't think it'd be too hard to implement. > >Steve, your thoughts on this specific problem? That's a very good question, and one I'll admit that I'd not paid much attention to. Unless the images are set up to auto-update at boot (is that a sensible thing? Do any of the published images do this?), we should definitely be updating/replacing our official images regularly. So... Should we just get into the habit of doing a rebuild once weekly/monthly? If you'd rather trigger on security bugs, a cron script to check the list of included packages for updates will be needed. If we want truly responsive builds in that latter case, then we'll possibly need to change the signing that happens too. The existing debian-cd signatures are done by hand for the stable builds. -- Steve McIntyre, Cambridge, UK. st...@einval.com You lock the door And throw away the key There's someone in my head but it's not me
