On 2016-08-10 16:16:54 -0700 (-0700), Clint Byrum wrote: [...] > the OP was suggesting that he just tells OpenStack's glance > service to download these images directly from the internet on his > hypervisor hosts (which is what --location does). This means that > no verification happens before the VM boots. The image is > downloaded, turned into a filesystem for a VM, and booted, without > ever having consulted a list of cryptographic hashes, gpg key, or > even a crc32. :-/
And what's worse, the example was of doing it over plain HTTP, no TLS even (for whatever transport security is worth anyway). -- Jeremy Stanley
