On 25/02/16 12:04, Beni Paskin-Cherniavsky wrote:
Hi. [Follow up from https://github.com/openshift/openshift-ansible/issues/1384] I did not RTFM, this is a fresh-eyes-I-just-want-to-download-an-image perspective...
Looking at http://cloud.centos.org/centos/7/images/, I see -1602 is latest version.
If for some reason I want to use the unversioned CentOS-7-x86_64-GenericCloud.* files, it's hard to be sure what I'll get (other than by downloading => I am getting 1602).
- sha256sum.txt{,.asc} contain no hashes for the unversioned files.
File size does suggest it's 1602.
Ideally the file listing would actually show them as "name -> target" symlink, and/or downloading would return an HTTP redirect to the current version. Currently it returns the content directly, only identifying headers are `Last-Modified: Tue, 23 Feb 2016 17:53:08 GMT` and `ETag: "fcc0480-52c739f3d2900"` (for the .xz). [Be careful with redirect: some scripts/libraries by default don't follow them, e.g. any script using `curl` without `-L` would break :-(]
http://cloud.centos.org/centos/7/images/sha256sum.txt%7B,.asc%7D are not available over HTTPS. I can verify the hash but I can't trust the hash itself. That's what .asc is signed for, but lazy folks like me don't necessery know which key to trust... (`gpg --search-keys F4A80EB5` worked but then `gpg --verify` says "WARNING: This key is not certified with a trusted signature!". No idea what that means - I'm clueless with GPG; trusting https://cloud.centos.org would be trivial for me.)
Looking at https://wiki.centos.org/Download:
It only links to the unversioned cloud images, doesn't say it's 1602 (other places on that page give the impression everything 7 is 1511), and doesn't list hashes.
I don't see a link to release notes for cloud images; https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7 is for 1511 and only talks of the regular ISOs.
https://wiki.centos.org/Cloud doesn't mention any specific versions, release notes or hashes either.
Googling "centos cloud 1602" didn't lead me to any "official" announcement. Nothing on centos-announce this February. Is -1602 "officially" released? (I personally don't really care, but "what changed" is the first natural question people ask beyond "I just want the latest"...)
Hope this is useful feedback.
it is - very much so,
you just caught us in the middle of a release! 1602 will be announced in the next few hours.
Having said that, I dont have a clear answer to the https comment, and the cascading trust from a known trust authority. Given what happened in the recent past, and how agencies get involved in the SSL games, I am not sure if a https cert validates origin really well ( maybe its good enough, and its for sure better than where we are now, over http ).
For the filenames, lets see what we can get to - at one point I did go down the route of redirects to have the downloaded file always have the versioned name - but feedback indicated people were just looking for a 'latest.tar.gz' experience. maybe we can still retain that and have a good validation chain as well, with the date stamped files.
regards