On 2019-04-14 00:53:47 +0200 (+0200), Thomas Goirand wrote:
On 4/12/19 8:06 PM, Jeremy Stanley wrote:
On 2019-04-12 09:27:35 -0500 (-0500), Sean McGinnis wrote: [...]
Hmm, according to the spec, Nova verifies those checksums as of Mitaka [0]. Though Cinder did not get the same enforcement until Rocky [1].
[0] https://specs.openstack.org/openstack/nova-specs/specs/mitaka/implemented/im... [1] https://specs.openstack.org/openstack/cinder-specs/specs/rocky/support-image...
(And specs are always 100% accurate, right?)
Neat, I had no idea that had improved in the past few years. At any rate, my main point still stands: if you don't trust the operators of that environment then the checksums are pure theater, since they could disable checksum validation or even just serve you a completely fictional hash from the catalog.
If you believe your host is capable of such things, you probably should go somewhere else.
Yes, that was my point in a nutshell. (Well, s/capable/guilty/ as all operators are *capable* of making these alterations, but we mostly expect them to be honest enough not to.) Image checksums reported by the API are no guarantee, regardless of whether they're MD5 or SHA2-512. Either you trust your provider hasn't made alterations or you don't. It's far easier to just fake the checksum in the API than it is to engineer an MD5 hash collision a la second preimage attack, so the fact that the MD5 algorithm is considered cryptographically "weak" these days means very little in this context. -- Jeremy Stanley