On 2019-04-12 09:27:35 -0500 (-0500), Sean McGinnis wrote: [...] > Hmm, according to the spec, Nova verifies those checksums as of Mitaka [0]. > Though Cinder did not get the same enforcement until Rocky [1]. > > [0] https://specs.openstack.org/openstack/nova-specs/specs/mitaka/implemented/image-verification.html > [1] https://specs.openstack.org/openstack/cinder-specs/specs/rocky/support-image-signature-verification.html > > (And specs are always 100% accurate, right?) Neat, I had no idea that had improved in the past few years. At any rate, my main point still stands: if you don't trust the operators of that environment then the checksums are pure theater, since they could disable checksum validation or even just serve you a completely fictional hash from the catalog. -- Jeremy Stanley -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 963 bytes Desc: not available URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190412/54ef5c82/attachment.sig>