[CentOS-devel] Cloud images: what's current / release notes / hashes?

Thu Feb 25 16:01:03 UTC 2016
Karanbir Singh <mail-lists at karan.org>

On 25/02/16 12:04, Beni Paskin-Cherniavsky wrote:
> Hi. [Follow up from https://github.com/openshift/openshift-ansible/issues/1384]
> I did not RTFM, this is a fresh-eyes-I-just-want-to-download-an-image perspective...
> 
> Looking at http://cloud.centos.org/centos/7/images/, I see -1602 is latest version.
> 
> - If for some reason I want to use the unversioned 
>   CentOS-7-x86_64-GenericCloud.* files, it's hard to be sure what I'll get
>   (other than by downloading => I am getting 1602).
> 
>   - sha256sum.txt{,.asc} contain no hashes for the unversioned files.
> 
>   File size does suggest it's 1602.
> 
>   Ideally the file listing would actually show them as "name -> target" symlink, 
>   and/or downloading would return an HTTP redirect to the current version.
>   Currently it returns the content directly, only identifying headers are 
>   `Last-Modified: Tue, 23 Feb 2016 17:53:08 GMT` and 
>   `ETag: "fcc0480-52c739f3d2900"` (for the .xz).
>   [Be careful with redirect: some scripts/libraries by default don't 
>   follow them, e.g. any script using `curl` without `-L` would break :-(]
> 
> - http://cloud.centos.org/centos/7/images/sha256sum.txt{,.asc} are not 
>   available over HTTPS.  I can verify the hash but I can't trust 
>   the hash itself.  That's what .asc is signed for, but lazy folks
>   like me don't necessery know which key to trust...
>   (`gpg --search-keys F4A80EB5` worked but then `gpg --verify` says
>    "WARNING: This key is not certified with a trusted signature!".
>    No idea what that means - I'm clueless with GPG; 
>    trusting https://cloud.centos.org would be trivial for me.)
> 
> Looking at https://wiki.centos.org/Download:
> 
> - It only links to the unversioned cloud images, doesn't say it's 1602
>   (other places on that page give the impression everything 7 is 1511), 
>   and doesn't list hashes.
> 
> - I don't see a link to release notes for cloud images; 
>   https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7 is for 1511 
>   and only talks of the regular ISOs.
> 
> https://wiki.centos.org/Cloud doesn't mention any specific versions,
> release notes or hashes either.
> 
> Googling "centos cloud 1602" didn't lead me to any "official" announcement.
> Nothing on centos-announce this February.  Is -1602 "officially" released?
> (I personally don't really care, but "what changed" is the first natural
> question people ask beyond "I just want the latest"...)
> 
> Hope this is useful feedback.


it is - very much so,

you just caught us in the middle of a release! 1602 will be announced in
the next few hours.

Having said that, I dont have a clear answer to the https comment, and
the cascading trust from a known trust authority. Given what happened in
the recent past, and how agencies get involved in the SSL games, I am
not sure if a https cert validates origin really well ( maybe its good
enough, and its for sure better than where we are now, over http ).

For the filenames, lets see what we can get to - at one point I did go
down the route of redirects to have the downloaded file always have the
versioned name - but feedback indicated people were just looking for a
'latest.tar.gz' experience. maybe we can still retain that and have a
good validation chain as well, with the date stamped files.

regards


-- 
Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc