----- Original Message ----- > Hi security team. I'm working on > > https://fedoraproject.org/wiki/Changes/VisibleCloud > > which proposes promoting the Fedora Cloud image on basically equal footing > with the desktop download. Daniel Berrange gave the useful feedback that > while installation-based distribution allows one to install updates at build > time, image-based distribution means that the image must be booted to apply > updates, giving a window of insecurity. (Unless careful measures are taken.) > > When there was a security issue with the previous Fedora image, we did do a > fire-drill with an adhoc respin and pushed new images. Dan suggests that we > develop (in coordination with the qa and release engineering teams) a > security policy for updates to the cloud image. > > Is this of interest? > I think this is of great interest to us. It's a whole new way of thinking about the distribution. New concepts like this always bring new challenges. So needing to respin images is almost certainly going to happen. I suspect there isn't going to be an easy way to define what that is though. Some people might care about local root issues, remote root is obviously bad no matter what. What about system level denial of service? The attack surface potential here is going to be REALLY high. Our challenge will be to think of this not as a normal distribution, but as a cloud image (which I'm currently not doing in my head). I'm unsure what I think about the concern with needing to boot an image to apply updates. This is true of a fresh install, no? This update problem will be dictated by what's running on an image at boot time. Anyhow, I think this is a good conversation opener. If anyone has any ideas about what we should be worried about, thinking about, or if you have a clever idea, let us know. Thanks Matthew. -- JB -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security