[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please, provide a fixed Cloud Image URL for Debian

Excerpts from Adam Heath's message of 2016-08-10 17:34:36 -0500:
> On 08/10/2016 05:18 PM, Clint Byrum wrote:
> > I think a fixed URL for downloading images of major versions would in
> > fact be good. But you still need to verify the integrity of that image,
> > for the internet is dark, and full of terrors.
> >
> Verification of the existing images has to happen regardless; having a 
> stable url has nothing at all to do with that.  You're conflating issues.

Correct that the verification has to happen. But, the OP was suggesting
that he just tells OpenStack's glance service to download these images
directly from the internet on his hypervisor hosts (which is what
--location does). This means that no verification happens before the VM
boots. The image is downloaded, turned into a filesystem for a VM, and
booted, without ever having consulted a list of cryptographic hashes,
gpg key, or even a crc32. :-/

Reply to: