-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate reducing the count of apt sources on Hosted Ubuntu images #2951
Comments
Shouldn't
|
All of those PPAs should be removed IMO. Only official Ubuntu sources, that is apt origins also present in the official Ubuntu distro should be present.
I would highly appreciate if you'd offer eg an ubuntu-20.04-vanilla that does not add anything beyond what Ubuntu ships with. |
Has there been further action on this? The workaround I have been using just started failing (
Which is fine. I'll add So... what is going on? Am I getting broken VMs or was there a change within the last 24-hours? Aside: I don't fully agree with treating this as a major security issue, but nor do I disagree. Installing packages from the public Internet involves a huge amount of trust. Counterpoint: we should follow the news. PHP development just moved to GitHub because running their own git servers was an unnecessary point of vulnerability. |
Yes
It was done here: #3077
It's ongoing process which takes time to properly replace sources |
We have merged all our PRs:
All PRs except latest two will be included to this week rollout. Latest two PRs will be included to the next image rollout. |
@sirosen, I think this workaround is not needed anymore because apt source was removed. |
Awesome! Thanks so much for the speedy replies! I just wanted to know what was up. Without activity on this issue, and given that it takes time from the PR merging until the user (me) sees a change, it wasn't clear if this work was active or stalled. |
After these all changes deployed, the list of repos should be:
Significantly shorter the initial list in first issue. We will continue work to cut it more |
Hello everyone! Posting the new update based on the image that we will deploy next week.
(Potentially, we also can remove http://ppa.launchpad.net/ansible/ansible/ubuntu and http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu and https://esm.ubuntu.com/infra/ubuntu from 16.04 but according to #3287 Ubuntu 16.04 is going to be deprecated in 3 months so we have decided to leave it) Some information about remain repos:
Initially, there were about 20 apt repos and this number was reduced to 4 repos on Ubuntu 20.04 that looks like a good improvement for image reliability. I will close this issue since we have decided to leave remain repos on images for now. |
fantastic! this is highly appreciated. thanks a lot! of the remaining 6 repositories, only 2 are published by Canonical, one of these is "Ubuntu" itself, the other I suspect (but don't know for sure) is specifically for Ubuntu on Azure (hypervisor stuff and such.
For a regular Ubuntu user, the other 4 repos are not needed, but a security risk:
It's a pity that GitHub was bought by MS. Now we all have to pay a price because "MS customers" can't get their CI/CD pipelines right (as in, not depend on random external PPAs or even use PHP in the first place;) anyways, IMO closing this issue (without a follow up one) is the wrong action - it will only get worse. at the very least, GitHub users should be warned in the docs that they do not get a plain vanilla Ubuntu experience / security profile. but again, thanks @maxim-lobanov fpr your heroic efforts and progress! |
it is broken (404), with resulting fallout: https://www.theregister.com/2021/06/17/microsoft_packages_404/ why is Microsoft forcing users to reference and try-update-fail on PPAs that are non-standard, unneeded and might open additional attack surfaces? why would I care that the (broken) PPA is "MS official" when I'm using Ubuntu and the PPA is not "Canonical official"? |
Docker, .NET, PowerShell, MSSQL, etc.
There is no such thing as "regular Ubuntu user"
Because there is nothing standard here, GitHub Actions (as per documentation) is a platform that is managed by staff so that users don't have to do it themselves.
Because you are using
Why is it my responsibility to add Microsoft repository and not your responsibility to remove it during a workflow?
Maybe you will understand if I use Linux people language: RTFM! I'm sure that there are more people who are happy when most of their stuff works out of the box thanks to the tools pre-installed in GHA runners than there are people who bitch about it. |
Ok, fair enough! Let me rephrase: none of those MS repos is default (== comes in a Canonical install) or necessary to install or use Ubuntu.
Sure. Standard == everything, but only that (iow: exactly) all software sources that come with an official Canonical distro. Last time I looked, that did not include those MS PPAs.
Yes, we're doing that for some repos already, but it is a lot of work, since historically, we had everything on hosted runners.
I did read the manual - when GitHub was still an independent company. Then MS decided to change stuff. and sure, I missed the announcement (I assume there was one) that new PPAs would be added to the hosted images. My bad. My whole point is: if I use an image "ubuntu", I expect it to expose me to Canonical SW upstream only - but not MS. if there would be a separate "ubuntu-microsoft", that would make everything crystal clear and non-controversial. anyways, just my 2cts. I very much appreciate the work that Maxim did on clearing up the set of PPAs!
I doubt that, but in my perspective, the problem is the unwanted additional attack / problem surface. a price paid by all other users (ones that don't need any MS stuff). |
I don't really need my inbox spammed just because someone read an El Reg article about an outage. If you just want to complain about the fact that GitHub was bought by Microsoft, please just open another issue so that someone from GitHub can close it with prejudice. This is the price you pay when you use a CI service, rather than running your own Jenkins box or whatever. You don't have full control over the platform. They definitely need to have docker installed to make the platform work ("services" and docker actions), and doing it from a Microsoft repo is a very reasonable choice. Use of that one repo is not a part of the prior issue that there were simply too many repos, many of them maintained neither by Canonical nor by Microsoft. The GitHub team has handled this issue in pretty much the best way I can imagine, removing as many sources as they have found to be possible. I'm super happy with everything about how this went down. ... Except for the part where I get irrelevant mail months after the fact because someone disagrees with the decisions they made on what to keep. I'm unsubscribing from this issue so that doesn't happen again. |
Description
Currently, Hosted Ubuntu images have pretty huge list of apt sources:
It causes two types of problems:
apt update
takes much timeapt update
fails if one of the sources is not available. Some community-managed sources can be unavailable and it will break a lot of user builds.Ideally, we should keep minimal number of sources on images:
We should consider reducing the list of sources to improve reliability of
apt update
.What should be investigated / considered for every source:
I don't expect removing these source in scope of this issue. Let's start with investigation and share investigation results.
Related issue: #2919
The text was updated successfully, but these errors were encountered: