[pkg-eucalyptus-maintainers] Updated euca2ools to version 1.2 in Debian.

Dustin Kirkland kirkland at canonical.com
Sat Mar 13 21:48:18 UTC 2010 

On Fri, 2010-03-12 at 18:57 +0100, Steffen Möller wrote:
> >> Hm, hm, hm, hm. I don't know about how much I should care at the very
> >> moment. The official maintainer is Chris, even though he is too busy
> >> these days to write some "upload this now" mails. So, if something is
> >> sufficiently bad to be reuploaded to the distributions, then Chris
> >> should come up with a new public release first.
> > 
> > Right, that's part of the reason why we had to split and do our own
> > euca2ools package...  We can't really wait.  Our deadlines are firm.
> 
> Uuuuuuuh. Well, let's hope to undo at least that part of your reason. My
> hunch is that you are paid to do that packaging work and can reserve
> respective time for that. This is tough to beat by Charles, me and since
> Chris still has to go through us for the uploads there is not much he
> could help with.

Right, I think we're well on the way to fixing this ;-)

> > It comes straight from Amazon's website, in their ec2-ami-tools:
> >  *  http://s3.amazonaws.com/ec2-downloads/ec2-ami-tools.zip
> 
> Would there be a way to have the user retrieve that file? Or postinst?
> Us hard core Eucalyptus users don't really want to use it :)  (( a lie,
> but it sounds good for a moment ))

Well, I'm not willing or interested in starting a fight over this :-)
We'll just carry the patch in Ubuntu, or find a different package to
land it.

> > I suspect it's somewhat Ubuntu specific.  It's meant to talk to an
> > Ubuntu Enterprise Cloud, rather than just EC2.  But I'll leave that up
> > to you.
> 
> Well, I could imagine also Debian users to be intested in Ubuntu clouds,
> so I am fine with that. Also, I am preferring sending money to Canonical
> over sending it to Amazon, btw.

Okay, sounds good.  Once I'm comfortable uploading to Debian, I'll
upload cloud-utils too.

> > As for dropping to a suggests, we can probably do that.  I'll just need
> > to ensure that we seed cloud-utils in the appropriate places, because
> > we're currently using Recommends to ensure that cloud-utils gets
> > installed in places where euca2ools gets installed.
> 
> Hm. Is the dependency not rather from the cloud-utils to euca2ools?

We like to see them installed together, in Ubuntu.

> Still, I am uncomfortable. I can well understand (given all the legal
>     craziness around) that it is not shipped with upstream.
> 
> What about the file being outdated?
> 
>  > As to the security, I can't imagine any viable concern.  It's a public
> > key, not a private key.
> 
> The key could be changed in some larger series of patches remaining
> unnoticed and allowing some other site to claim to be Amazon.

All that would do is cause users uploading images to Amazon to fail.
The image would be signed by a key other than Amazon, and Amazon's check
of the signature would fail, and the image won't be accepted.

> > You sign your image with this when you upload
> > to Amazon.  Only their private key can decrypt and verify the signature.
> > Unless you want to make euca2ools depend (recommend, suggest)
> > ec2-api-tools (non-free), or you want to point the user to go and
> > retrieve the zip file, extract the public key, and put it into place,
> > euca2ools is of limited usefulness with EC2.
> 
> I'd feel like providing a script "install_amazon_public_key.sh" which
> would do exactly that.

It wouldn't be that hard ...  Just wget of that zip file, unzip to a
temp dir, pull the key out, and install it into the known location.

What about having a conditional in the postinst that does something
like:

  if grep -qsi ubuntu /etc/issue; then
    wget ... && install ...
  fi

Of course, ensuring that a suitable error message is printed if the
machine is not internet-connected, etc.  Would that be acceptable?

> >> Please give a push a chance, just remember to add -guest to what you may
> >> otherwise think to be your ID when specifying the developername.
> > 
> > Okay, can you give me a couple of instructions here, as I don't want to
> > screw up my first upload to Debian :-)
> 
> Until you are accepted as a DM, it is Charles or me to do the upload.
> See some extra notes further down.

Thanks.  It'll take care of the rest of this next week ;-)

Cheers,
:-Dustin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-eucalyptus-maintainers/attachments/20100313/d641b5d8/attachment.pgp>

More information about the pkg-eucalyptus-maintainers mailing list