On Mon, Jul 07, 2025 at 06:00:15PM +0000, Jeremy Stanley wrote: > https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2069607 has > finally been switched to public upstream as of Friday, and contains a lot > more of the rationale behind their breaking change decisions.
Thanks. My initial thinking about this issue mirrors what was expressed by James Page in the launchpad comments. [1] In a typical cloud environment, this would not be an issue, as it would not be possible for a malicious user to hijack one of the link-local IMDS addresses. However, as observed elsewhere, not all uses of cloud-init are in actual cloud environments. [2] We provide downloadable VM images that are usable with qemu in non-cloud environments. In those cases, it is possible that there could be a malicious user on the local network link with one of the IMDS addresses. It's an unlikely scenario, and relies on quite a bit of coincidental network access and configuration, but it can happen. Given all of that, I think we should: 1. Update to the latest cloud-init upstream for trixie. It includes a couple of other low-risk bug fixes, too. 2. Update cloud-init in a bookworm point release with a backport of the fix. I haven't looked yet at the complexity involved in backporting the fix to 22.4.2 yet, but will do so now. Given the limited impact of the breaking change, I think documenting it in debian/changelog is sufficient, and we don't need a NEWS entry. Does anybody disagree with the above? noah 1. https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2069607/comments/31 2. https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2069607/comments/32
