On 25/02/16 12:04, Beni Paskin-Cherniavsky wrote: > Hi. [Follow up from https://github.com/openshift/openshift-ansible/issues/1384] > I did not RTFM, this is a fresh-eyes-I-just-want-to-download-an-image perspective... > > Looking at http://cloud.centos.org/centos/7/images/, I see -1602 is latest version. > > - If for some reason I want to use the unversioned > CentOS-7-x86_64-GenericCloud.* files, it's hard to be sure what I'll get > (other than by downloading => I am getting 1602). > > - sha256sum.txt{,.asc} contain no hashes for the unversioned files. > > File size does suggest it's 1602. > > Ideally the file listing would actually show them as "name -> target" symlink, > and/or downloading would return an HTTP redirect to the current version. > Currently it returns the content directly, only identifying headers are > `Last-Modified: Tue, 23 Feb 2016 17:53:08 GMT` and > `ETag: "fcc0480-52c739f3d2900"` (for the .xz). > [Be careful with redirect: some scripts/libraries by default don't > follow them, e.g. any script using `curl` without `-L` would break :-(] > > - http://cloud.centos.org/centos/7/images/sha256sum.txt{,.asc} are not > available over HTTPS. I can verify the hash but I can't trust > the hash itself. That's what .asc is signed for, but lazy folks > like me don't necessery know which key to trust... > (`gpg --search-keys F4A80EB5` worked but then `gpg --verify` says > "WARNING: This key is not certified with a trusted signature!". > No idea what that means - I'm clueless with GPG; > trusting https://cloud.centos.org would be trivial for me.) > > Looking at https://wiki.centos.org/Download: > > - It only links to the unversioned cloud images, doesn't say it's 1602 > (other places on that page give the impression everything 7 is 1511), > and doesn't list hashes. > > - I don't see a link to release notes for cloud images; > https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7 is for 1511 > and only talks of the regular ISOs. > > https://wiki.centos.org/Cloud doesn't mention any specific versions, > release notes or hashes either. > > Googling "centos cloud 1602" didn't lead me to any "official" announcement. > Nothing on centos-announce this February. Is -1602 "officially" released? > (I personally don't really care, but "what changed" is the first natural > question people ask beyond "I just want the latest"...) > > Hope this is useful feedback. it is - very much so, you just caught us in the middle of a release! 1602 will be announced in the next few hours. Having said that, I dont have a clear answer to the https comment, and the cascading trust from a known trust authority. Given what happened in the recent past, and how agencies get involved in the SSL games, I am not sure if a https cert validates origin really well ( maybe its good enough, and its for sure better than where we are now, over http ). For the filenames, lets see what we can get to - at one point I did go down the route of redirects to have the downloaded file always have the versioned name - but feedback indicated people were just looking for a 'latest.tar.gz' experience. maybe we can still retain that and have a good validation chain as well, with the date stamped files. regards -- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc