On 03/08/2019 11:06, Chris Boot wrote: > On 25/07/2019 00:00, Thomas Goirand wrote: >> On the secret files found here: >> http://cloud.debian.org/cdimage/cloud/ >> >> there's a json file attached. Unfortunately, there's no SHA512, and of >> course, no GPG signature of this file, so it's impossible check the validity >> of the images. Please at least add a SHA512, then we can see later how we >> can sign the json file. [snip] > Clearly it makes sense to include the checksum(s) in the build.json > file, but: [snip] Currently the build tools generate the raw image using FAI, then wrap it into a tarball. The tarball is then xz compressed outside debian-cloud-images in the GitLab CI job. Is there any reason to keep it that way? Why don't we move the compression into debian-cloud-images? Without this I don't see how debian-cloud-images can calculate a useful set of checksums for the cloud images. We either checksum the raw image itself or the tarball but neither is what ends up on patterson. We can generate checksums of the compressed tarball after the fact but it doesn't feel right injecting that into the manifest after the fact. It wouldn't be so bad just having detached checksums in that case but it feels like it could be genuinely useful to hold them in the manifest so that the upload step could validate them, for example. What are others' views on this? Cheers, Chris -- Chris Boot bootc@debian.org
Attachment:
signature.asc
Description: OpenPGP digital signature