Dear Technical Board, I wish to make you aware of a technical decision taken by the Ubuntu Foundations team concerning a package in the archive. I believe the decision is technically sound and will stand up to scrutiny, but due to the sensitivity and possible precedent-setting involved, I want us to be completely transparent with the community about what is being done and why.
The walinuxagent package in Ubuntu is an agent for the Microsoft Azure cloud, communicating with the cloud substrate and allowing management of various aspects of the guest through the cloud's dashboard / management interface. The Microsoft Azure team has requested that the package in Ubuntu enable a feature, currently disabled via config setting, that allows the agent to pull down code from a trusted cloud-local endpoint and deploy it on the running system. This is desirable for two reasons: - it ensures that the agent on the guest remains up-to-date and compatible with the cloud substrate, even on long-running instances whose administrators are not applying package updates on a regular basis - it enables various optional modules which are part of the Azure platform but are not distributed with the walinuxagent package, they are only available from the walinuxagent endpoint. Obviously we have good reason for a policy that third-party repositories and code update mechanisms are not allowed for Ubuntu at large. In this case, I believe it's acceptable because: - in a cloud, this is not the first place in which arbitrary code can be fed into the instance from outside; cloud-init also does the same thing in a more general form - this is a cloud-local endpoint; we know from the architecture of Azure that this endpoint is controlled by the same party as the virtualization environment itself (i.e. Microsoft), so there is no concern that trusting this endpoint expands the set of targets for an attacker - the walinuxagent uses several methods to detect that it's running on the correct cloud substrate (specially-formed DHCP responses; locally-attached storage) which ensure that accidentally installing and attempting to run this agent on a non-Azure Ubuntu machine will be a no-op. If you have any questions about this implementation, please ask. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [email protected] [email protected]
signature.asc
Description: PGP signature
-- technical-board mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/technical-board
