[pkg-eucalyptus-maintainers] Updated euca2ools to version 1.2 in Debian.
Dustin Kirkland
kirkland at canonical.com
Sat Mar 13 21:48:18 UTC 2010
On Fri, 2010-03-12 at 18:57 +0100, Steffen Möller wrote:
> >> Hm, hm, hm, hm. I don't know about how much I should care at the very
> >> moment. The official maintainer is Chris, even though he is too busy
> >> these days to write some "upload this now" mails. So, if something is
> >> sufficiently bad to be reuploaded to the distributions, then Chris
> >> should come up with a new public release first.
> >
> > Right, that's part of the reason why we had to split and do our own
> > euca2ools package... We can't really wait. Our deadlines are firm.
>
> Uuuuuuuh. Well, let's hope to undo at least that part of your reason. My
> hunch is that you are paid to do that packaging work and can reserve
> respective time for that. This is tough to beat by Charles, me and since
> Chris still has to go through us for the uploads there is not much he
> could help with.
Right, I think we're well on the way to fixing this ;-)
> > It comes straight from Amazon's website, in their ec2-ami-tools:
> > * http://s3.amazonaws.com/ec2-downloads/ec2-ami-tools.zip
>
> Would there be a way to have the user retrieve that file? Or postinst?
> Us hard core Eucalyptus users don't really want to use it :) (( a lie,
> but it sounds good for a moment ))
Well, I'm not willing or interested in starting a fight over this :-)
We'll just carry the patch in Ubuntu, or find a different package to
land it.
> > I suspect it's somewhat Ubuntu specific. It's meant to talk to an
> > Ubuntu Enterprise Cloud, rather than just EC2. But I'll leave that up
> > to you.
>
> Well, I could imagine also Debian users to be intested in Ubuntu clouds,
> so I am fine with that. Also, I am preferring sending money to Canonical
> over sending it to Amazon, btw.
Okay, sounds good. Once I'm comfortable uploading to Debian, I'll
upload cloud-utils too.
> > As for dropping to a suggests, we can probably do that. I'll just need
> > to ensure that we seed cloud-utils in the appropriate places, because
> > we're currently using Recommends to ensure that cloud-utils gets
> > installed in places where euca2ools gets installed.
>
> Hm. Is the dependency not rather from the cloud-utils to euca2ools?
We like to see them installed together, in Ubuntu.
> Still, I am uncomfortable. I can well understand (given all the legal
> craziness around) that it is not shipped with upstream.
>
> What about the file being outdated?
>
> > As to the security, I can't imagine any viable concern. It's a public
> > key, not a private key.
>
> The key could be changed in some larger series of patches remaining
> unnoticed and allowing some other site to claim to be Amazon.
All that would do is cause users uploading images to Amazon to fail.
The image would be signed by a key other than Amazon, and Amazon's check
of the signature would fail, and the image won't be accepted.
> > You sign your image with this when you upload
> > to Amazon. Only their private key can decrypt and verify the signature.
> > Unless you want to make euca2ools depend (recommend, suggest)
> > ec2-api-tools (non-free), or you want to point the user to go and
> > retrieve the zip file, extract the public key, and put it into place,
> > euca2ools is of limited usefulness with EC2.
>
> I'd feel like providing a script "install_amazon_public_key.sh" which
> would do exactly that.
It wouldn't be that hard ... Just wget of that zip file, unzip to a
temp dir, pull the key out, and install it into the known location.
What about having a conditional in the postinst that does something
like:
if grep -qsi ubuntu /etc/issue; then
wget ... && install ...
fi
Of course, ensuring that a suitable error message is printed if the
machine is not internet-connected, etc. Would that be acceptable?
> >> Please give a push a chance, just remember to add -guest to what you may
> >> otherwise think to be your ID when specifying the developername.
> >
> > Okay, can you give me a couple of instructions here, as I don't want to
> > screw up my first upload to Debian :-)
>
> Until you are accepted as a DM, it is Charles or me to do the upload.
> See some extra notes further down.
Thanks. It'll take care of the rest of this next week ;-)
Cheers,
:-Dustin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-eucalyptus-maintainers/attachments/20100313/d641b5d8/attachment.pgp>
More information about the pkg-eucalyptus-maintainers
mailing list