[glance][interop] standardized image "name" ?

Thomas Goirand zigo at debian.org
Sat Apr 13 22:53:47 UTC 2019


On 4/12/19 8:06 PM, Jeremy Stanley wrote:
> On 2019-04-12 09:27:35 -0500 (-0500), Sean McGinnis wrote:
> [...]
>> Hmm, according to the spec, Nova verifies those checksums as of Mitaka [0].
>> Though Cinder did not get the same enforcement until Rocky [1].
>>
>> [0] https://specs.openstack.org/openstack/nova-specs/specs/mitaka/implemented/image-verification.html
>> [1] https://specs.openstack.org/openstack/cinder-specs/specs/rocky/support-image-signature-verification.html
>>
>> (And specs are always 100% accurate, right?)
> 
> Neat, I had no idea that had improved in the past few years. At any
> rate, my main point still stands: if you don't trust the operators
> of that environment then the checksums are pure theater, since they
> could disable checksum validation or even just serve you a
> completely fictional hash from the catalog.

If you believe your host is capable of such things, you probably should
go somewhere else.

Cheers,

Thomas Goirand (zigo)



More information about the openstack-discuss mailing list