[Bug 2098393] Re: [needs-packaging] azure-proxy-agent

Simon Quigley 2098393 at bugs.launchpad.net
Wed Feb 19 16:21:45 UTC 2025 

Hi Gauthier,

Thank you very much for all the fixes! This looks good for an initial
upload now, with future changes sponsored to that.

Two things for your own reference:
 - I usually run Lintian with `-EvIiL +pedantic` - an easy way to remember this is, "some sponsors can be evil and pedantic." ;)
 - For your PPA, usually I use `~` to indicate that it's "less than" the archive upload, and thus gets superseded by it. A protip for you: `dpkg --compare-versions 3.2.7-1ubuntu1 gt 3.3.7-1build3 && echo "Condition met" || echo "Condition not met"`

> Here I don't really understand, I moved the tests to `d/tests` but I
don't think it's a good idea because then `dh_auto_test` doesn't run
them anymore. Can you be more specific?

autopkgtests vs build-time tests. :)

Ideally they're ran in both spots.

I've uploaded this to Plucky now, awaiting review from an Ubuntu Archive
Administrator.

Thank you!

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2098393

Title:
  [needs-packaging] azure-proxy-agent

Status in Ubuntu:
  New

Bug description:
  URL: https://github.com/Azure/GuestProxyAgent/
  License: MIT
  Notes:
  The GuestProxyAgent (GPA) enhances the security of Azure Instance Metadata Service (IMDS) and Azure Wireserver endpoints (e.g., 169.254.169.254 and 168.63.129.16) on Azure IaaS virtual machines. It introduces strong authentication and authorization measures to mitigate common attacks such as confused deputy (e.g., SSRF) and sandbox escapes that target metadata services.

  GPA intercepts HTTP requests to these endpoints using eBPF, allowing
  it to verify the identity of in-guest processes. By transitioning from
  a default-open to a default-closed access model, GPA ensures that only
  authorized processes (as defined by a trusted delegate established at
  provisioning) can retrieve sensitive metadata. Requests must include
  an HMAC-based signature generated with a long-lived secret negotiated
  during setup, reinforcing the point-to-point trust relationship.

  Test builds are available from ppa:gjolly/azure-proxy-agent
  (https://launchpad.net/~gjolly/+archive/ubuntu/azure-proxy-agent2)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/2098393/+subscriptions

More information about the Ubuntu-sponsors mailing list