[glance][interop] standardized image "name" ?
Artem Goncharov
artem.goncharov at gmail.com
Fri Apr 12 18:36:59 UTC 2019
On Fri, 12 Apr 2019, 20:29 Jeremy Stanley, <fungi at yuggoth.org> wrote:
> On 2019-04-12 09:27:35 -0500 (-0500), Sean McGinnis wrote:
> [...]
> > Hmm, according to the spec, Nova verifies those checksums as of Mitaka
> [0].
> > Though Cinder did not get the same enforcement until Rocky [1].
> >
> > [0]
> https://specs.openstack.org/openstack/nova-specs/specs/mitaka/implemented/image-verification.html
> > [1]
> https://specs.openstack.org/openstack/cinder-specs/specs/rocky/support-image-signature-verification.html
> >
> > (And specs are always 100% accurate, right?)
>
> Neat, I had no idea that had improved in the past few years. At any
> rate, my main point still stands: if you don't trust the operators
> of that environment then the checksums are pure theater, since they
> could disable checksum validation or even just serve you a
> completely fictional hash from the catalog.
>
Fictional hash - how true it really is sometimes. Don't trust the
checksums. In the cloud I'm using the uploaded image is being automatically
converted for a backend storage by a plugin, therefore the checksum us just
a trash. And you anyway can't download image back, so you can't do anything
with the checksum anyway.
Artem
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190412/72211782/attachment.html>
More information about the openstack-discuss
mailing list