Easy image generation and hosting for Debian Blends and others
The problem
Various projects need to generate images (either live or installers, in DVD format or as disk images or even containers). Often with non-free contents e.g. drivers and firmware and with a quick build-deploy-test process.
For example: the Mobian project, https://raspi.debian.net/ , FreedomBox, various VM images.
With the increasing popularity of FOSS-friendly phones, tablets and SBCs like Raspberry Pi such need might grow.
Actual situation
Projects wanting to build and publish big artifacts have to:
- Find hardware or pay for VMs. Sometimes multiple architectures are required.
- Set up webservers, handle TLS certificates and domains, optionally deploy a buildbot.
- Maintain the host security for its entire lifetime.
Such process creates duplication of efforts between different teams and creates an entry barrier for smaller teams.
More importantly, it provides no transparency and accountability around the image building and hosting. End users have to fully trust the security of the build system and the people involved.
Expected situation
Image building could be done using Salsa's CI at https://salsa.debian.org/<team>/<project> or a dedicated buildbot.
The artifacts could be hosted at https://images.debian.net/<team>/<project> with an HTML page providing a simple index.
A bit of metadata in debian/gitlab-ci.yml can provide a version number for the build, a free/non-free flag, a tag for stable/test/experimental and a description. Such metadata would be shown in the HTML index together with a clear warning that none of the contents of images.debian.net is an official Debian release.
Builds might be started by any contributor but a git tag would need to be signed by a DD to have the image published. The artifacts can be signed centrally by the build system.
Projects could be given a modest disk quota as default and the option to ask for larger quotas.
This process can be used for both images and containers.