[glance][interop] standardized image "name" ?

Jeremy Stanley fungi at yuggoth.org
Thu Apr 11 23:28:05 UTC 2019


On 2019-04-12 00:40:03 +0200 (+0200), Thomas Goirand wrote:
> The nice thing, is that Glance provides checksums. Meaning that,
> if you do:
> 
> openstack image show -c checksum -f value \
> debian-9.8.2-20190303-openstack-amd64.qcow2
> 
> then you can make sure that's the same MD5 than at:
> 
> http://cdimage.debian.org/cdimage/openstack/archive/9.8.2-20190303/MD5SUMS

Well, I'm frequently booting from testing/unstable snapshots so even
if providers do have them in their catalogs they don't necessarily
update them on the same schedules. Thankfully, Glance has become
fairly ubiquitous in public OpenStack providers in recent years, so
at least I can grab one snapshot and upload it to all the
projects/regions I'm using.

> In such case, you know your cloud provider hasn't modified the
> official Debian image.

Well, last I checked, Nova doesn't *actually* verify those
checksums, and even if it did the software could still be adjusted
by a malicious operator anyway. But you're right, for well-known
images it at least means there's probably been no "helpful"
modifications made by the provider to "improve" my experience in
their environment.

> It's just a shame that Glance doesn't show MD5 and not sha512 sums
> by default...

It's not really that big of a deal. As pointed out, those checksums
aren't protecting you from malicious operators (really nothing can,
short of maybe executing workloads via homomorphic encryption and
storing data with something like Tahoe-LAFS), so they're merely
informational. And MD5 is not yet so compromised that I can make a
backdoored replacement image which calculates to the same md5sum as
an official Debian image unless I've also got control of some of the
data being included in that image (and if I had that, I probably
wouldn't need to resort to orchestrating checksum collisions to
carry out my nefarious plans for World domination anyway).
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190411/34c79202/attachment.sig>


More information about the openstack-discuss mailing list