[CentOS-devel] Cloud images: what's current / release notes / hashes?

Thu Feb 25 22:58:10 UTC 2016
Beni Paskin-Cherniavsky <cben at redhat.com>

> From: "Karanbir Singh" <mail-lists at karan.org>
> 
> Having said that, I dont have a clear answer to the https comment, and
> the cascading trust from a known trust authority. Given what happened in
> the recent past, and how agencies get involved in the SSL games, I am
> not sure if a https cert validates origin really well ( maybe its good
> enough, and its for sure better than where we are now, over http ).
> 
To clarify my comments, I'm not claiming SSL is more/less secure than GPG, 
it's just convenient and (almost) unavoidable.
I did find https://www.centos.org/keys/ easily a minute later, 
which nicely confirmed I got the right key, so SSL is my root of trust.
Not being a signing-party-going GPG nerd, I have no clue how to 
bootstrap trust without SSL.  (And I don't the keys magically installed
via centos-release - I'm on a Fedora machine.)

- It'd be nice if https://www.centos.org/keys/ told how to obtain the keys
  [and mark them trusted].  Currently it just lists their fingerprints.
  Bonus points if it told how to verify downloaded images.

Similarly most people add some repos following online instructions, which
means they also ultimately trust SSL.  (Best-case; I'm afraid 50% happily
trust "curl http:... | sudo ... --nogpgcheck" instructions.)

> For the filenames, lets see what we can get to - at one point I did go
> down the route of redirects to have the downloaded file always have the
> versioned name - but feedback indicated people were just looking for a
> 'latest.tar.gz' experience. maybe we can still retain that and have a
> good validation chain as well, with the date stamped files.
> 
I happened to start from the images/ dir but most people probably start
from https://wiki.centos.org/Download; I think improving that page is more
important.  As for the directory, adding a README there could be enough.