Bug#878759: no way to verify debian vagrant boxes
Package: cloud.debian.org
There is no way to verify authenticity of vagrant boxes hosted on Atlas
(hashicorps image hosting service). For example running this command
with a completely fabricated fingerprint installs a Debian box without
any error message or warning:
vagrant box add \
--checksum 1234567890123456789012345678901234567890123456789012345678901234 \
--checksum-type sha256 debian/jessie64
While I understand that official vagrant docs state that this is
intended behavior[1]. (Probably because when a new box version becomes
available the checksum changes). This renders all atlas-hosted vagrant
boxes unverifiable. `vagrant box add` unpacks .box files so users don't
have a chance to verify the box file manually.
thanks and best regards,
Michael
[1] https://www.vagrantup.com/docs/cli/box.html#options-for-direct-box-files
Reply to: