Bug#878759: no way to verify debian vagrant boxes

To: submit@bugs.debian.org
Subject: Bug#878759: no way to verify debian vagrant boxes
From: Michael Pöhn <michael.poehn@fsfe.org>
Date: Mon, 16 Oct 2017 15:45:20 +0200
Message-id: <[🔎] d619ac4e-342a-17f2-0ea8-207c85a4f8f7@fsfe.org>
Reply-to: Michael Pöhn <michael.poehn@fsfe.org>, 878759@bugs.debian.org
In-reply-to: <cd82da2b-819f-ca58-79db-4e4a10a531f0@libera.cc>

Package: cloud.debian.org

There is no way to verify authenticity of vagrant boxes hosted on Atlas
(hashicorps image hosting service). For example running this command
with a completely fabricated fingerprint installs a Debian box without
any error message or warning:

     vagrant box add \
     --checksum 1234567890123456789012345678901234567890123456789012345678901234 \
     --checksum-type sha256 debian/jessie64

While I understand that official vagrant docs state that this is
intended behavior[1]. (Probably because when a new box version becomes
available the checksum changes). This renders all atlas-hosted vagrant
boxes unverifiable. `vagrant box add` unpacks .box files so users don't
have a chance to verify the box file manually.

thanks and best regards,
Michael

[1] https://www.vagrantup.com/docs/cli/box.html#options-for-direct-box-files

Reply to:

Prev by Date: Re: dieas for the sprint
Next by Date: Re: dieas for the sprint
Previous by thread: Re: dieas for the sprint
Next by thread: Cloud-Init Summit 2017 Meeting Notes
Index(es):
- Date
- Thread