cloud image updates (for f20 and beyond)

Eric H. Christensen sparks at fedoraproject.org
Tue Jul 16 03:34:08 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Mon, Jul 15, 2013 at 09:35:02PM -0400, Matthew Miller wrote:
> Hi security team. I'm working on 
> 
>   https://fedoraproject.org/wiki/Changes/VisibleCloud
> 
> which proposes promoting the Fedora Cloud image on basically equal footing
> with the desktop download. Daniel Berrange gave the useful feedback that
> while installation-based distribution allows one to install updates at build
> time, image-based distribution means that the image must be booted to apply
> updates, giving a window of insecurity. (Unless careful measures are taken.)

Yeah, I can see this as being a concern.  The risk will more than likely be a small due to the window of time involved but it's always a good to ship the fixes when they exist.

> When there was a security issue with the previous Fedora image, we did do a
> fire-drill with an adhoc respin and pushed new images. Dan suggests that we
> develop (in coordination with the qa and release engineering teams) a
> security policy for updates to the cloud image.

Each CVE receives a CVSSv2 score in BZ.  This *could* be used as a way to determine which vulnerability patches should go into your spin.  Of course this may end up with more updates that needed being that you might be patching software that would necessarily run at boot time or be vulnerable immediately.  It's a place to start, IMO, though.

- -- Eric

- --------------------------------------------------
Eric "Sparks" Christensen
Fedora Project - Red Hat

sparks at redhat.com - sparks at fedoraproject.org
097C 82C3 52DF C64A 50C2  E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQGcBAEBCgAGBQJR5L8rAAoJEB/kgVGp2CYvV88L/3cKIdH3sqFU7tvsvlYJxd8P
Cf+wOJTiFkf5ZPUH43/3Gx8fOVqv4+vuhj56AsMB+DnQVCjbKuwP16ilLTve/gAh
uJOKAV+doPB7FgFmoLscDVxig8QbSH/rCCQ7M2hG2EPjhEmZNoVlRcdmQEa9GkYG
s3NKLUmJnnBzInZBDRVQ7a3KJz7fTiJAggKXkjAsPxFgnMhqe+3WIgooucd5EstO
VVqYcXN2MgUJmmlsqWN7Q6k0uVnL/MasL3mbT4hrA5ZV/hvowEEBGp7tGpR4Pizo
k+FUSXqMCmZgZh9Qxaem0BiiVQmcxesZW3QS4RXWRMrc/26GnmtJjF6Rg12KhMjg
6UfSh+SP4oE9t6ItI18pRHE+2WamfddFT+pyCo24O6yeXnH5bWyevy/d4GOyR8mK
yDxGSQTl/YAr/So9KYPsF3cu29Fep66oQ8mjYCgdkgTiz96D1mKiXPEBUHKFCcdi
sZFgRfRqgFO5Jf59t+sEa7pyb9YBf7e0Rv7/0TKrcQ==
=p2r+
-----END PGP SIGNATURE-----

More information about the security mailing list