Signing would definitely be a great v2 feature. For v1, we just need some way to know that an image is provided by the cloud provider, and some idea of what that image "is".
I believe every cloud is stuck respinning their own images, because we haven't been able to agree a "golden image" standard. So signing etc by the distros is pointless until we get that figured out. I trust the cloud providers today - I have no choice but to do so. I think you're trying to solve a much harder problem - how do I cope in a world where I trust Canonical but not my cloud? Once we have hardware trust of clouds, then we'll have to up our game substantially on every front here. On Tue, Apr 10, 2012 at 8:04 AM, Scott Moser <smo...@ubuntu.com> wrote: > The data you're after might be useful to you, and might scratch an itch. > I will not discount that, but I would much prefer a bit of metadata > associated with an image that was signed by an entity I trusted that > identified the image as good. > I have to trust my cloud provider. A single protected flag in metadata saying "official cloud image" is no less secure than anything more complicated at the moment (sadly) OS distro, version_major, version_minor are even less important where you don't care (or know) that your OS came from Canonical or RedHat, what you > were really interested in is running "WhizBang! Fooberator" version 2.0. > Unless the distros stop changing config directory locations, or agree a common init.d approach, then this simply isn't true. Maybe you're talking about running pre-built appliances? I'm talking about not treating the machines as infallible black boxes (I think mine is the more common use case, but irrespective, mine is definitely a valid use case) I can see that some tagged info on the contents of the image would be > useful for certain things, but specifically OS specific information is > just not that important. > It's very important to me as a consumer of images. How are you coding image selection for launching instances on the public OpenStack clouds? I'm interested in any alternative.
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
