On Fri, 12 Apr 2019, 20:29 Jeremy Stanley, <fungi@yuggoth.org> wrote:
On 2019-04-12 09:27:35 -0500 (-0500), Sean McGinnis wrote: [...]
Hmm, according to the spec, Nova verifies those checksums as of Mitaka [0]. Though Cinder did not get the same enforcement until Rocky [1].
[0] https://specs.openstack.org/openstack/nova-specs/specs/mitaka/implemented/im... [1] https://specs.openstack.org/openstack/cinder-specs/specs/rocky/support-image...
(And specs are always 100% accurate, right?)
Neat, I had no idea that had improved in the past few years. At any rate, my main point still stands: if you don't trust the operators of that environment then the checksums are pure theater, since they could disable checksum validation or even just serve you a completely fictional hash from the catalog.
Fictional hash - how true it really is sometimes. Don't trust the checksums. In the cloud I'm using the uploaded image is being automatically converted for a backend storage by a plugin, therefore the checksum us just a trash. And you anyway can't download image back, so you can't do anything with the checksum anyway. Artem