#93 Getting sha256sum published for the cloud images
Opened 4 years ago by kushal. Modified 2 years ago

This will help things systemd to search the images provided by Fedora in a standard way using nspawn tool.

Example of such file from ubuntu:

https://cloud-images.ubuntu.com/trusty/current/SHA1SUMS
https://cloud-images.ubuntu.com/trusty/current/SHA256SUMS.gpg


Actually more on verifying the images from the checksums on a standard path.

BTW, do keep this simple, let's just do SHA256SUMS, and nothing else. i.e. no SHA1SUMS or so.

Well, yeah, but I want it under a fixed name, not something that changes randomly in every dir.

I want the thing to be named "SHA256SUMS", not "Fedora-Cloud-Images-....-CHECKSUM", so that I know what to download.

Also, I'd really prefer to have the signature in a detached file, like Ubuntu is doing it. That has the benefit that we can first download the SHA256SUMS file to do simple download verifications against corruptions, and then download SHA256SUMS.sig seperately to actually verify that it is signed by the right people.

I'm not going to advocate one way or the other as far as having attached vs detached sig but I think it
should be fairly easy to have the tool parse the sum and the sig out of the file and use them separately. This way we could accommodate systems that use the ubuntu style and systems that use the fedora style.

I know leaving it the same would be easier on on releng and other tools that already expect it to be this way. That being said we could easily make it so that the file has a standard name.. We could leave Fedora-Cloud-Images-x86_64-21-CHECKSUM in place and create a new file (symlink) from SHA256SUMS -> Fedora-Cloud-Images-x86_64-21-CHECKSUM or something like that.

An alternative (or additional?) approach might be to publish indexes in the "simplestreams" format, as Ubuntu does. See for example https://cloud-images.ubuntu.com/releases/streams/v1/com.ubuntu.cloud:released:download.json (or basically all the examples under https://cloud-images.ubuntu.com/releases/streams/v1/).

(The format doesn't seem to be heavily documented anywhere, but here's Ubuntu's lib: https://launchpad.net/ubuntu/+source/simplestreams)

FWIW, http://bazaar.launchpad.net/~smoser/simplestreams/trunk/view/head:/doc/README documents the simplestreams format. Lennart, might this be something a future systemd-nspawn could use?

Oh, see also: https://fedorahosted.org/rel-eng/ticket/5805 (a request for the virt-builder index.asc format).

Replying to [comment:9 mattdm]:

FWIW, http://bazaar.launchpad.net/~smoser/simplestreams/trunk/view/head:/doc/README documents the simplestreams format. Lennart, might this be something a future systemd-nspawn could use?

These "simplestreams" stuff doesn't appear so simple to me ;-)

I think I like the concepts from the ACI spec better regarding image discovery, but simple streams would work too, I don't care too much.

Replying to [comment:11 lennart]:

These "simplestreams" stuff doesn't appear so simple to me ;-)

To me either. :) Richard's ini-style index.asc files are much more human readable, but the simplestreams format has among its advantages "already widely in use for another big distro" and it seems like the best candidate for eventually getting most everyone to do the same thing. I haven't looked at the ACI discovery spec but I'll take a look.

Any chance of seeing any sort of index file for the images soon?

This should actually be filed as a RFE to pungi. That is the tool that generates all the various release components and outputs the current checksum format files. It's the proper place for a RFE to be filed that would be actioned by rel-eng.

https://pagure.io/pungi

There is something creating stable links for the download images as shown in
https://fedoraproject.org/wiki/Cloud#Fedora_Cloud_Atomic_Image_Download_Links

Could the same thing also provide stable links for the checksum files? It is IMHO quite unfortunate that there is a lot of effort in Fedora to provide the possibility to securely download all images but the Cloud WG wiki page not promoting/mentioning it.

Login to comment on this ticket.

Metadata