[CentOS-devel] Cloud images: what's current / release notes / hashes?

Fri Feb 26 15:42:51 UTC 2016
Johnny Hughes <johnny at centos.org>

On 02/25/2016 06:04 AM, Beni Paskin-Cherniavsky wrote:
> Hi. [Follow up from https://github.com/openshift/openshift-ansible/issues/1384]
> I did not RTFM, this is a fresh-eyes-I-just-want-to-download-an-image perspective...
> 
> Looking at http://cloud.centos.org/centos/7/images/, I see -1602 is latest version.
> 
> - If for some reason I want to use the unversioned 
>   CentOS-7-x86_64-GenericCloud.* files, it's hard to be sure what I'll get
>   (other than by downloading => I am getting 1602).
> 
>   - sha256sum.txt{,.asc} contain no hashes for the unversioned files.

The unversioned files are always just a sym link to the latest version.

I guess I can add them to the sha256sum.txt file .. but being always the
latest and the latest will be the newest date (so 1602 is 2016-Feb ..
1511 is 2015-Nov).

> 
>   File size does suggest it's 1602.
> 
>   Ideally the file listing would actually show them as "name -> target" symlink, 
>   and/or downloading would return an HTTP redirect to the current version.
>   Currently it returns the content directly, only identifying headers are 
>   `Last-Modified: Tue, 23 Feb 2016 17:53:08 GMT` and 
>   `ETag: "fcc0480-52c739f3d2900"` (for the .xz).
>   [Be careful with redirect: some scripts/libraries by default don't 
>   follow them, e.g. any script using `curl` without `-L` would break :-(]
> 
> - http://cloud.centos.org/centos/7/images/sha256sum.txt{,.asc} are not 
>   available over HTTPS.  I can verify the hash but I can't trust 
>   the hash itself.  That's what .asc is signed for, but lazy folks
>   like me don't necessery know which key to trust...
>   (`gpg --search-keys F4A80EB5` worked but then `gpg --verify` says
>    "WARNING: This key is not certified with a trusted signature!".
>    No idea what that means - I'm clueless with GPG; 
>    trusting https://cloud.centos.org would be trivial for me.)

CentOS is a community project and we have lots of external, NON-CentOS
mirrors for several items.  While that is NOT currently happening for
cloud.centos.org, it very well could in the future.  At that point, we
lose control over the setup of the machines, etc.  That is the whole
purpose of signing RPMs and signing the shasum files .. so you can
verify them regardless of the mirror.

<snip>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20160226/654f5c92/attachment-0008.sig>