[ec2] [ubuntu-cloud] RFC: server-lucid-ec2-config: user-data configuration file

[Soren Hansen]

On Tue, Jan 05, 2010 at 03:11:50AM -0800, Eric Hammond wrote:
> We choose when to update our running systems, often after testing in
> development and QA environments.  However, if systems are being fired
> up automatically by Amazon's Auto Scaling or Spot Instances and those
> instances upgrade themselves on boot, then package upgrades are forced
> on you whether or not you have tested, unless you choose to use a
> date-fixed apt mirror like RightScale offers.

If Ubuntu were ever to offer date-fixed repositories, I would personally
consider that having declared complete bankruptcy on our SRU and
security update policies and procedures. If we don't even trust our own
process for these updates, and acknowledge the need for date-fixed
repositories, we've lost. If we discover shortcomings in these
processes, we need to fix them, not offer ways to circumvent them.

Furthermore, even the smallest delays in applying security updates means
a window of opportunity for an attacker. I consider it a critical
feature for Ubuntu that our users should feel comfortable applying our
security updates without much scrutiny.

-- 
Soren Hansen                 | 
Lead virtualisation engineer | Ubuntu Server Team
Canonical Ltd.               | http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-ec2/attachments/20100105/0fedb438/attachment.pgp