----- Original Message -----
Hi security team. I'm working on
https://fedoraproject.org/wiki/Changes/VisibleCloud
which proposes promoting the Fedora Cloud image on basically equal footing
with the desktop download. Daniel Berrange gave the useful feedback that
while installation-based distribution allows one to install updates at build
time, image-based distribution means that the image must be booted to apply
updates, giving a window of insecurity. (Unless careful measures are taken.)
When there was a security issue with the previous Fedora image, we did do a
fire-drill with an adhoc respin and pushed new images. Dan suggests that we
develop (in coordination with the qa and release engineering teams) a
security policy for updates to the cloud image.
Is this of interest?
I think this is of great interest to us. It's a whole new way of thinking
about the distribution. New concepts like this always bring new challenges.
So needing to respin images is almost certainly going to happen. I suspect
there isn't going to be an easy way to define what that is though. Some
people might care about local root issues, remote root is obviously bad no
matter what. What about system level denial of service? The attack surface
potential here is going to be REALLY high. Our challenge will be to think
of this not as a normal distribution, but as a cloud image (which I'm
currently not doing in my head).
I'm unsure what I think about the concern with needing to boot an image to
apply updates. This is true of a fresh install, no? This update problem will
be dictated by what's running on an image at boot time.
Anyhow, I think this is a good conversation opener. If anyone has any ideas
about what we should be worried about, thinking about, or if you have a
clever idea, let us know.
Thanks Matthew.
--
JB