[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please, provide a fixed Cloud Image URL for Debian

On 2016-08-10 16:16:54 -0700 (-0700), Clint Byrum wrote:
> the OP was suggesting that he just tells OpenStack's glance
> service to download these images directly from the internet on his
> hypervisor hosts (which is what --location does). This means that
> no verification happens before the VM boots. The image is
> downloaded, turned into a filesystem for a VM, and booted, without
> ever having consulted a list of cryptographic hashes, gpg key, or
> even a crc32. :-/

And what's worse, the example was of doing it over plain HTTP, no
TLS even (for whatever transport security is worth anyway).
Jeremy Stanley

Reply to: