On 2019-04-12 00:40:03 +0200 (+0200), Thomas Goirand wrote:
The nice thing, is that Glance provides checksums. Meaning that, if you do:
openstack image show -c checksum -f value \ debian-9.8.2-20190303-openstack-amd64.qcow2
then you can make sure that's the same MD5 than at:
http://cdimage.debian.org/cdimage/openstack/archive/9.8.2-20190303/MD5SUMS
Well, I'm frequently booting from testing/unstable snapshots so even if providers do have them in their catalogs they don't necessarily update them on the same schedules. Thankfully, Glance has become fairly ubiquitous in public OpenStack providers in recent years, so at least I can grab one snapshot and upload it to all the projects/regions I'm using.
In such case, you know your cloud provider hasn't modified the official Debian image.
Well, last I checked, Nova doesn't *actually* verify those checksums, and even if it did the software could still be adjusted by a malicious operator anyway. But you're right, for well-known images it at least means there's probably been no "helpful" modifications made by the provider to "improve" my experience in their environment.
It's just a shame that Glance doesn't show MD5 and not sha512 sums by default...
It's not really that big of a deal. As pointed out, those checksums aren't protecting you from malicious operators (really nothing can, short of maybe executing workloads via homomorphic encryption and storing data with something like Tahoe-LAFS), so they're merely informational. And MD5 is not yet so compromised that I can make a backdoored replacement image which calculates to the same md5sum as an official Debian image unless I've also got control of some of the data being included in that image (and if I had that, I probably wouldn't need to resort to orchestrating checksum collisions to carry out my nefarious plans for World domination anyway). -- Jeremy Stanley