osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[glance][interop] standardized image "name" ?


On 4/12/19 8:06 PM, Jeremy Stanley wrote:
> On 2019-04-12 09:27:35 -0500 (-0500), Sean McGinnis wrote:
> [...]
>> Hmm, according to the spec, Nova verifies those checksums as of Mitaka [0].
>> Though Cinder did not get the same enforcement until Rocky [1].
>>
>> [0] https://specs.openstack.org/openstack/nova-specs/specs/mitaka/implemented/image-verification.html
>> [1] https://specs.openstack.org/openstack/cinder-specs/specs/rocky/support-image-signature-verification.html
>>
>> (And specs are always 100% accurate, right?)
> 
> Neat, I had no idea that had improved in the past few years. At any
> rate, my main point still stands: if you don't trust the operators
> of that environment then the checksums are pure theater, since they
> could disable checksum validation or even just serve you a
> completely fictional hash from the catalog.

If you believe your host is capable of such things, you probably should
go somewhere else.

Cheers,

Thomas Goirand (zigo)