On Tue, Apr 29, 2014 at 06:38:34PM +0200, Didier Raboud wrote: > Hi dear docker.io maintainers,
Heyya Didier! > please consider shipping Debian docker.io pre-built images in proper Debian > packages. Having "stable" pre-built images in Debian packages ensures a trust > link within the distribution. I'm not happy with the increasing incentive to > download distribution images across untrusted links (although index.docker.io > at least runs over HTTPS). I totally agree. I've been pushing for docker upstream to adopt OpenPGP signatures on images, but it looks like they want to go with SSL Certs. Once those are in place, I'm happy to provide a pseudo-official image. However, a better and more sustainable solution here is to ship a script to create a Debian image via debootstrap. Something small and auditable. I'd been considering a script to take an sbuild tarball => docker image. I've not done it yet, but this bug is good motiviation. I'll see if there's something I can do to help :) > One possibility would be to build docker.io images similarly to what is done > for debian-installer-netboot-images: download packages in a trusted way and > make sure they get listed in the Built-Using field; then of course make sure > they get (bin)NMUed at each stable release update. > > Opinions? > > Cheers, > > OdyX Thanks, OdyX! Paul -- .''`. Paul Tagliamonte <paul...@debian.org> | Proud Debian Developer : :' : 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `. `'` http://people.debian.org/~paultag `- http://people.debian.org/~paultag/conduct-statement.txt
signature.asc
Description: Digital signature
