[CentOS-devel] CentOS 7 Public QA OpenVZ OS Template available

Mon Jun 16 00:51:26 UTC 2014
Scott Dowdle <dowdle at montanalinux.org>

Greetings,

----- Original Message -----
> On 06/16/2014 12:42 AM, Scott Dowdle wrote:
> > So after taking the above into consideration you want me to remove
> > it, I will.
> 
> if you can just do that - remove it nightly, to make sure the only  one
> you have there is the same content as we are pushing from buildlogs, and
> remove all signatures.
> 
> We dont think it good enough or usable enough to sign. So having a
> downstream sign it is a bit strange.
> 
> Also, it might be a good idea to work this via the Virt SIG.

Thanks for the quick reply. To have the head dude of the project announce to everyone that I had done something so bad that it makes him consider the decision to build in public... I ain't going to lie... I felt like I was going to throw up for a few minutes.  Seriously. :(

If you change you mind (assuming I understood you correctly) and you want me to take it down I can and will.  I have write access to the OpenVZ contrib OS Templates directory and other than the project leader (Kir Kolyshkin), I'm the only person who posts submissions for contributors.  I pledge to keep it updated and replace it as often as CentOS has milestones... and will have an updated package (later) on CentOS 7 GA day.  I've done it with several previous point releases for the 5.x and 6.x series... for CentOS, SL, and maybe even for OracleEL (once I think).

On the "signing" thing...  contributed OS Templates are "as is" and "use at your own risk" because going through an OS Template to insure it hasn't been tampered with is a lot of work an not even attempted by the project.  It would require making a complete file list, using package manager verification... finding those files that aren't provided-by-a-package as well as those that are provide-by-a-package-but-altered (almost always valid like a config)... and then manually checking what remains.  I've had users ask about the security of the contributed OS Templates... and the best we can do is try to provide information about who built them and link to any outside documentation the creator might have written... as well as providing .asc GPG signature files so the downloader can have some confidence that the OS Template they downloaded came from who it said it came from... and hasn't been altered by someone else.  The web-of-trust isn't prefect but it is better than nothing.  We haven't had reported suspect contributed OS Templates in the 8+ years I've been contributing. I hate to say that because it's like an airline crowing about having no accidents... it tempts fate and I don't like to do that.

It's a contributed OS Template so by its nature, it isn't official. I'm sure Kir will have an "official" (meaning made by the OpenVZ Project itself... which is either Kir himself or the folks back at the Parallels mothership) sometime after CentOS 7 GA.  The official OS Templates always are marked as beta their first release and moved out the next refresh if no problems are reported.  They haven't worked with CentOS in the past... but I have volunteered to help with the Virt SIG... to crete a CentOS variant that has OpenVZ pre-installed/configured... but yeah, it would be nice to have CentOS OS Templates for OpenVZ semi-official posted on centos.org somewhere if possible.  We'll see how it goes as things progress.  It will probably be a while before OpenVZ releases a new OpenVZ kernel based on the EL7 kernel.

Sorry to write so much.  I did try to shorten it as much as I could.  Really.

TYL,
-- 
Scott Dowdle
704 Church Street
Belgrade, MT 59714
(406)388-0827 [home]
(406)994-3931 [work]