[ec2] [ubuntu-cloud] RFC: server-lucid-ec2-config: user-data configuration file

Eric Hammond esh at ubuntu.com
Tue Jan 5 18:09:10 GMT 2010 

Soren:

You make a good point.  I wasn't keeping track of whether these updates
were from -security.  In my proposed samples of how to use the
date-fixed apt mirrors in http://run.alestic.com/apt/rightscale the
-security line pointed directly from ubuntu.com and not the alternative
mirror.  I don't know if companies who need this would use it that way
or not.

Even so, isn't the default for Ubuntu to not automatically apply the
security updates without user intervention?  It seems like it would be
nice to allow users the option to operate under this policy even if it
isn't the default on EC2 and even if Canonical is not the one providing
the option with the date-fixed apt mirror.

For the record, I am personally very comfortable applying Ubuntu updates
without much scrutiny.  This is one of the main reasons I switched to
Ubuntu after regularly running into issues applying updates with
alternative distros.

I feel like we're getting a little off topic, too.  I was presenting a
few sample use cases on why automatic apt-get upgrade from Canonical's
EC2 apt mirrors on first boot can cause problems for users who want to
specify their own apt mirrors in user-data scripts.

Even if we don't completely agree on every one of the use cases or think
that Canonical might be able to improve their mirrors to reduce the
frequency users desire an alternative, it sounds like the proposed
solution was acceptable and we can move forward for now.

Did anybody submit any comments on the rest of the user-data
configuration file RFC?

--
Eric Hammond



Soren Hansen wrote:
> On Tue, Jan 05, 2010 at 03:11:50AM -0800, Eric Hammond wrote:
>> We choose when to update our running systems, often after testing in
>> development and QA environments.  However, if systems are being fired
>> up automatically by Amazon's Auto Scaling or Spot Instances and those
>> instances upgrade themselves on boot, then package upgrades are forced
>> on you whether or not you have tested, unless you choose to use a
>> date-fixed apt mirror like RightScale offers.
> 
> If Ubuntu were ever to offer date-fixed repositories, I would personally
> consider that having declared complete bankruptcy on our SRU and
> security update policies and procedures. If we don't even trust our own
> process for these updates, and acknowledge the need for date-fixed
> repositories, we've lost. If we discover shortcomings in these
> processes, we need to fix them, not offer ways to circumvent them.
> 
> Furthermore, even the smallest delays in applying security updates means
> a window of opportunity for an attacker. I consider it a critical
> feature for Ubuntu that our users should feel comfortable applying our
> security updates without much scrutiny.
>

More information about the Ubuntu-ec2 mailing list