On 4/12/19 8:06 PM, Jeremy Stanley wrote:
On 2019-04-12 09:27:35 -0500 (-0500), Sean McGinnis wrote: [...]
Hmm, according to the spec, Nova verifies those checksums as of Mitaka [0]. Though Cinder did not get the same enforcement until Rocky [1].
[0] https://specs.openstack.org/openstack/nova-specs/specs/mitaka/implemented/im... [1] https://specs.openstack.org/openstack/cinder-specs/specs/rocky/support-image...
(And specs are always 100% accurate, right?)
Neat, I had no idea that had improved in the past few years. At any rate, my main point still stands: if you don't trust the operators of that environment then the checksums are pure theater, since they could disable checksum validation or even just serve you a completely fictional hash from the catalog.
If you believe your host is capable of such things, you probably should go somewhere else. Cheers, Thomas Goirand (zigo)