On Fri, Apr 12, 2019 at 09:00:31AM +0200, Thomas Goirand wrote:
On 4/12/19 1:28 AM, Jeremy Stanley wrote:
On 2019-04-12 00:40:03 +0200 (+0200), Thomas Goirand wrote:
In such case, you know your cloud provider hasn't modified the official Debian image.
Well, last I checked, Nova doesn't *actually* verify those checksums, and even if it did the software could still be adjusted by a malicious operator anyway.
Oh, what do you mean? I thought it had an option for that...
Cheers,
Thomas Goirand (zigo)
Hmm, according to the spec, Nova verifies those checksums as of Mitaka [0]. Though Cinder did not get the same enforcement until Rocky [1]. [0] https://specs.openstack.org/openstack/nova-specs/specs/mitaka/implemented/im... [1] https://specs.openstack.org/openstack/cinder-specs/specs/rocky/support-image... (And specs are always 100% accurate, right?)