[release-announce] python-glanceclient 2.14.0 (stein)
no-reply at openstack.org
no-reply at openstack.org
Thu Nov 1 14:17:26 UTC 2018
We are excited to announce the release of:
python-glanceclient 2.14.0: OpenStack Image API Client Library
This release is part of the stein release series.
The source is available from:
https://git.openstack.org/cgit/openstack/python-glanceclient
Download the package from:
https://pypi.org/project/python-glanceclient
Please report issues through launchpad:
https://bugs.launchpad.net/python-glanceclient
For more details, please see below.
2.14.0
^^^^^^
New Features
************
* This release adds verification of image data downloads using the
Glance "multihash" feature introduced in the OpenStack Rocky
release. When the "os_hash_value" is populated on an image, the
glanceclient will verify this value by computing the hexdigest of
the downloaded data using the algorithm specified by the image's
"os_hash_algo" property.
Because the secure hash algorithm specified is determined by the
cloud provider, it is possible that the "os_hash_algo" may identify
an algorithm not available in the version of the Python "hashlib"
library used by the client. In such a case the download will fail
due to an unsupported hash type. In the event this occurs, a new
option, "--allow-md5-fallback", is introduced to the "image-
download" command. When present, this option will allow the
glanceclient to use the legacy MD5 checksum to verify the downloaded
data if the secure hash algorithm specified by the "os_hash_algo"
image property is not supported.
Note that the fallback is *not* used in the case where the algorithm
is supported but the hexdigest of the downloaded data does not match
the "os_hash_value". In that case the download fails regardless of
whether the option is present or not.
Whether using the "--allow-md5-fallback" option is a good idea
depends upon the user's expectations for the verification. MD5 is
an insecure hashing algorithm, so if you are interested in making
sure that the downloaded image data has not been replaced by a
datastream carefully crafted to have the same MD5 checksum, then you
should not use the fallback. If, however, you are using Glance in a
trusted environment and your interest is simply to verify that no
bits have flipped during the data transfer, the MD5 fallback is
sufficient for that purpose. That being said, it is our
recommendation that the multihash should be used whenever possible.
Security Issues
***************
* This release of the glanceclient uses the Glance "multihash"
feature, introduced in Rocky, to use a secure hashing algorithm to
verify the integrity of downloaded data. Legacy images without the
"multihash" image properties ("os_hash_algo" and "os_hash_value")
are verified using the MD5 "checksum" image property.
Changes in python-glanceclient 2.12.0..2.14.0
---------------------------------------------
93636d6 Refactor periodic "tips" jobs
997e91f Cleanup .zuul.yaml
8fd7e8c Use "multihash" for data download validation
5fa921a add lib-forward-testing-python3 test job
1459902 add python 3.6 unit test job
99c3fc1 switch documentation job to new PTI
0018ad6 import zuul job settings from project-config
a757757 Remove team diversity tags note in README
1ad9db6 Update reno for stable/rocky
eba4bb0 Skip quote '=' for token header
Diffstat (except docs and test files)
-------------------------------------
.zuul.yaml | 39 +++-
README.rst | 7 +-
glanceclient/common/http.py | 2 +-
glanceclient/common/utils.py | 20 ++
glanceclient/v2/images.py | 63 +++++-
glanceclient/v2/shell.py | 14 +-
...ash-download-verification-596e91bf7b68e7db.yaml | 41 ++++
releasenotes/source/index.rst | 1 +
releasenotes/source/rocky.rst | 6 +
14 files changed, 442 insertions(+), 38 deletions(-)
More information about the Release-announce
mailing list