[arch-dev-public] Arch Linux Cloud Images (virtualbox and Qemu)

[Christian Rebischke]

Hello everybody,
Some months ago Bartlomiej had the awesome idea to generate qemu and
virtualbox images as well. Afterwards we had a small discussion about
this topic in #archlinux-projects. I would like to refresh this
discussion and move it to this mail thread.

So, our vagrant boxes are building automatically and without issues for
a few months now. I could just generate virtualbox and qemu images as
side products monthly, but I have no idea how we would release them.

Another big topic is security. The vagrant images are at the moment not
signed and seems like vagrantcloud doesn't support this either. This
doesn't mean that we shouldn't sign our qemu or virtualbox images.
We could just generate an automated cloud image signing key (only for
this purpose) of course and automatically sign the images with that key.
Problem with this is: If our build server ever get pwned the person will
have these keys for signing cloud images as well. Any opinion about
this?

In my humble opinion I would be fine with a signing key that follows
only this particular purpose. Another idea would be to move the whole
production process to a physical server behind a firewall that is
physical accessible by one or more Arch Linux Developers.

I really would like to push this forward. Any comments?

Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20180513/498f3767/attachment.asc>