Open Stack

We are psyched to announce the release of:

python-glanceclient 2.13.0: OpenStack Image API Client Library

This release is part of the rocky stable release series.

The source is available from:

    https://git.openstack.org/cgit/openstack/python-glanceclient

Download the package from:

    https://pypi.org/project/python-glanceclient

Please report issues through launchpad:

    https://bugs.launchpad.net/python-glanceclient

For more details, please see below.

2.13.0
^^^^^^


New Features
************

* This release adds verification of image data downloads using the
  Glance "multihash" feature introduced in the OpenStack Rocky
  release.  When the "os_hash_value" is populated on an image, the
  glanceclient will verify this value by computing the hexdigest of
  the downloaded data using the algorithm specified by the image's
  "os_hash_algo" property.

  Because the secure hash algorithm specified is determined by the
  cloud provider, it is possible that the "os_hash_algo" may identify
  an algorithm not available in the version of the Python "hashlib"
  library used by the client.  In such a case the download will fail
  due to an unsupported hash type.  In the event this occurs, a new
  option, "--allow-md5-fallback", is introduced to the "image-
  download" command. When present, this option will allow the
  glanceclient to use the legacy MD5 checksum to verify the downloaded
  data if the secure hash algorithm specified by the "os_hash_algo"
  image property is not supported.

  Note that the fallback is *not* used in the case where the algorithm
  is supported but the hexdigest of the downloaded data does not match
  the "os_hash_value".  In that case the download fails regardless of
  whether the option is present or not.

  Whether using the "--allow-md5-fallback" option is a good idea
  depends upon the user's expectations for the verification.  MD5 is
  an insecure hashing algorithm, so if you are interested in making
  sure that the downloaded image data has not been replaced by a
  datastream carefully crafted to have the same MD5 checksum, then you
  should not use the fallback.  If, however, you are using Glance in a
  trusted environment and your interest is simply to verify that no
  bits have flipped during the data transfer, the MD5 fallback is
  sufficient for that purpose.  That being said, it is our
  recommendation that the multihash should be used whenever possible.


Security Issues
***************

* This release of the glanceclient uses the Glance "multihash"
  feature, introduced in Rocky, to use a secure hashing algorithm to
  verify the integrity of downloaded data.  Legacy images without the
  "multihash" image properties ("os_hash_algo" and "os_hash_value")
  are verified using the MD5 "checksum" image property.

Changes in python-glanceclient 2.12.1..2.13.0
---------------------------------------------

395d0f1 Use "multihash" for data download validation
0f1b1bf Refactor periodic "tips" jobs
b672c6a import zuul job settings from project-config


Diffstat (except docs and test files)
-------------------------------------

.zuul.yaml                                         |  36 ++-
glanceclient/common/utils.py                       |  20 ++
glanceclient/v2/images.py                          |  63 +++++-
glanceclient/v2/shell.py                           |  14 +-
...ash-download-verification-596e91bf7b68e7db.yaml |  41 ++++
9 files changed, 426 insertions(+), 28 deletions(-)