search

digitalocean / marketplace-partners

Image validation, automation, and other tools for DigitalOcean Marketplace Vendors and Custom Image users
Other
193 stars 98 forks source link

proposal: don't check for available updates during img_check.sh #137

Open coryschwartz opened 3 years ago

coryschwartz commented 3 years ago

I don't think img_check.sh should check for security updates, and here are a few reasons why:

  1. The base images do not pass this test, and they are available on the marketplace.
  2. Some package managers prompt for a decision during package upgrades that is unrelated to the vendor's software and the decision might be at odds with the end user's desires.
    • i.e. ubuntu will prompt for what to do about an SSH config file or some other system configuration. The ubuntu distribution thought it was best for end users to make this decision, and DO vendors should not make the decision on behalf of DO users.
  3. To have upgrades applied at image-creation time provides little to no security benefit to end users.
    • when a user builds a droplet, there might be security packages between the time of image creation and droplet creation. This remains true whether or not the vendor performed apt update. End users will still need to do package updates on their own if they want to stay patched.
  4. automated image creation is non-deterministic if there are package updates involved. Packer may work once, and then a week later fail the same operation because the package manager asked a different set of quesitons during package updates. This causes additional complication for vendors and I think little benefit for users.
  5. The timing between image creation and submission to the portal is too critical.
    • if an image is created on Friday and submitted on Friday, that might be fine. If it's submitted on Monday and there were package updates over the weekend, maybe it doesn't pass.
jgannondo commented 2 years ago

Hi @coryschwartz - sorry it took a while to get back to you on this.

Now that img_check.sh runs on an image when it is submitted to Vendor Portal, the chance of there being a gap between the submission and the img_check running on our end should be minimal, so long as the Vendor submits the image very soon after it is built.

Given that, I'm inclined to close this issue but I wanted to make sure I understood all of the bits before doing that.

Thanks!