Hi. [Follow up from https://github.com/openshift/openshift-ansible/issues/1384] I did not RTFM, this is a fresh-eyes-I-just-want-to-download-an-image perspective...
Looking at http://cloud.centos.org/centos/7/images/, I see -1602 is latest version.
- If for some reason I want to use the unversioned CentOS-7-x86_64-GenericCloud.* files, it's hard to be sure what I'll get (other than by downloading => I am getting 1602).
- sha256sum.txt{,.asc} contain no hashes for the unversioned files.
File size does suggest it's 1602.
Ideally the file listing would actually show them as "name -> target" symlink, and/or downloading would return an HTTP redirect to the current version. Currently it returns the content directly, only identifying headers are `Last-Modified: Tue, 23 Feb 2016 17:53:08 GMT` and `ETag: "fcc0480-52c739f3d2900"` (for the .xz). [Be careful with redirect: some scripts/libraries by default don't follow them, e.g. any script using `curl` without `-L` would break :-(]
- http://cloud.centos.org/centos/7/images/sha256sum.txt%7B,.asc%7D are not available over HTTPS. I can verify the hash but I can't trust the hash itself. That's what .asc is signed for, but lazy folks like me don't necessery know which key to trust... (`gpg --search-keys F4A80EB5` worked but then `gpg --verify` says "WARNING: This key is not certified with a trusted signature!". No idea what that means - I'm clueless with GPG; trusting https://cloud.centos.org would be trivial for me.)
Looking at https://wiki.centos.org/Download:
- It only links to the unversioned cloud images, doesn't say it's 1602 (other places on that page give the impression everything 7 is 1511), and doesn't list hashes.
- I don't see a link to release notes for cloud images; https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7 is for 1511 and only talks of the regular ISOs.
https://wiki.centos.org/Cloud doesn't mention any specific versions, release notes or hashes either.
Googling "centos cloud 1602" didn't lead me to any "official" announcement. Nothing on centos-announce this February. Is -1602 "officially" released? (I personally don't really care, but "what changed" is the first natural question people ask beyond "I just want the latest"...)
Hope this is useful feedback.
On 25/02/16 12:04, Beni Paskin-Cherniavsky wrote:
Hi. [Follow up from https://github.com/openshift/openshift-ansible/issues/1384] I did not RTFM, this is a fresh-eyes-I-just-want-to-download-an-image perspective...
Looking at http://cloud.centos.org/centos/7/images/, I see -1602 is latest version.
If for some reason I want to use the unversioned CentOS-7-x86_64-GenericCloud.* files, it's hard to be sure what I'll get (other than by downloading => I am getting 1602).
- sha256sum.txt{,.asc} contain no hashes for the unversioned files.
File size does suggest it's 1602.
Ideally the file listing would actually show them as "name -> target" symlink, and/or downloading would return an HTTP redirect to the current version. Currently it returns the content directly, only identifying headers are `Last-Modified: Tue, 23 Feb 2016 17:53:08 GMT` and `ETag: "fcc0480-52c739f3d2900"` (for the .xz). [Be careful with redirect: some scripts/libraries by default don't follow them, e.g. any script using `curl` without `-L` would break :-(]
http://cloud.centos.org/centos/7/images/sha256sum.txt%7B,.asc%7D are not available over HTTPS. I can verify the hash but I can't trust the hash itself. That's what .asc is signed for, but lazy folks like me don't necessery know which key to trust... (`gpg --search-keys F4A80EB5` worked but then `gpg --verify` says "WARNING: This key is not certified with a trusted signature!". No idea what that means - I'm clueless with GPG; trusting https://cloud.centos.org would be trivial for me.)
Looking at https://wiki.centos.org/Download:
It only links to the unversioned cloud images, doesn't say it's 1602 (other places on that page give the impression everything 7 is 1511), and doesn't list hashes.
I don't see a link to release notes for cloud images; https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7 is for 1511 and only talks of the regular ISOs.
https://wiki.centos.org/Cloud doesn't mention any specific versions, release notes or hashes either.
Googling "centos cloud 1602" didn't lead me to any "official" announcement. Nothing on centos-announce this February. Is -1602 "officially" released? (I personally don't really care, but "what changed" is the first natural question people ask beyond "I just want the latest"...)
Hope this is useful feedback.
it is - very much so,
you just caught us in the middle of a release! 1602 will be announced in the next few hours.
Having said that, I dont have a clear answer to the https comment, and the cascading trust from a known trust authority. Given what happened in the recent past, and how agencies get involved in the SSL games, I am not sure if a https cert validates origin really well ( maybe its good enough, and its for sure better than where we are now, over http ).
For the filenames, lets see what we can get to - at one point I did go down the route of redirects to have the downloaded file always have the versioned name - but feedback indicated people were just looking for a 'latest.tar.gz' experience. maybe we can still retain that and have a good validation chain as well, with the date stamped files.
regards
From: "Karanbir Singh" mail-lists@karan.org
Having said that, I dont have a clear answer to the https comment, and the cascading trust from a known trust authority. Given what happened in the recent past, and how agencies get involved in the SSL games, I am not sure if a https cert validates origin really well ( maybe its good enough, and its for sure better than where we are now, over http ).
To clarify my comments, I'm not claiming SSL is more/less secure than GPG, it's just convenient and (almost) unavoidable. I did find https://www.centos.org/keys/ easily a minute later, which nicely confirmed I got the right key, so SSL is my root of trust. Not being a signing-party-going GPG nerd, I have no clue how to bootstrap trust without SSL. (And I don't the keys magically installed via centos-release - I'm on a Fedora machine.)
- It'd be nice if https://www.centos.org/keys/ told how to obtain the keys [and mark them trusted]. Currently it just lists their fingerprints. Bonus points if it told how to verify downloaded images.
Similarly most people add some repos following online instructions, which means they also ultimately trust SSL. (Best-case; I'm afraid 50% happily trust "curl http:... | sudo ... --nogpgcheck" instructions.)
For the filenames, lets see what we can get to - at one point I did go down the route of redirects to have the downloaded file always have the versioned name - but feedback indicated people were just looking for a 'latest.tar.gz' experience. maybe we can still retain that and have a good validation chain as well, with the date stamped files.
I happened to start from the images/ dir but most people probably start from https://wiki.centos.org/Download; I think improving that page is more important. As for the directory, adding a README there could be enough.
On 02/25/2016 06:04 AM, Beni Paskin-Cherniavsky wrote:
Hi. [Follow up from https://github.com/openshift/openshift-ansible/issues/1384] I did not RTFM, this is a fresh-eyes-I-just-want-to-download-an-image perspective...
Looking at http://cloud.centos.org/centos/7/images/, I see -1602 is latest version.
If for some reason I want to use the unversioned CentOS-7-x86_64-GenericCloud.* files, it's hard to be sure what I'll get (other than by downloading => I am getting 1602).
- sha256sum.txt{,.asc} contain no hashes for the unversioned files.
The unversioned files are always just a sym link to the latest version.
I guess I can add them to the sha256sum.txt file .. but being always the latest and the latest will be the newest date (so 1602 is 2016-Feb .. 1511 is 2015-Nov).
File size does suggest it's 1602.
Ideally the file listing would actually show them as "name -> target" symlink, and/or downloading would return an HTTP redirect to the current version. Currently it returns the content directly, only identifying headers are `Last-Modified: Tue, 23 Feb 2016 17:53:08 GMT` and `ETag: "fcc0480-52c739f3d2900"` (for the .xz). [Be careful with redirect: some scripts/libraries by default don't follow them, e.g. any script using `curl` without `-L` would break :-(]
- http://cloud.centos.org/centos/7/images/sha256sum.txt%7B,.asc%7D are not available over HTTPS. I can verify the hash but I can't trust the hash itself. That's what .asc is signed for, but lazy folks like me don't necessery know which key to trust... (`gpg --search-keys F4A80EB5` worked but then `gpg --verify` says "WARNING: This key is not certified with a trusted signature!". No idea what that means - I'm clueless with GPG; trusting https://cloud.centos.org would be trivial for me.)
CentOS is a community project and we have lots of external, NON-CentOS mirrors for several items. While that is NOT currently happening for cloud.centos.org, it very well could in the future. At that point, we lose control over the setup of the machines, etc. That is the whole purpose of signing RPMs and signing the shasum files .. so you can verify them regardless of the mirror.
<snip>
On 26/02/16 15:42, Johnny Hughes wrote:
CentOS is a community project and we have lots of external, NON-CentOS mirrors for several items. While that is NOT currently happening for cloud.centos.org, it very well could in the future. At that point, we lose control over the setup of the machines, etc. That is the whole purpose of signing RPMs and signing the shasum files .. so you can verify them regardless of the mirror.
so, maybe a script or some details on how one can get the keys from www.centos.org/keys ? and have the script itself hosted behind https on the keys page ?
w.r.t the images/ i dont think we should add the non versioned files to the sha sum's - since that will constantly be changing, atleast once a month. It might be better to have a README file in that dir that shows up when someone looks at the dir listing, and have that explain the setup ?
-
Beni Paskin-Cherniavsky -
Johnny Hughes -
Karanbir Singh