On Wed, Mar 22, 2017 at 11:23 PM, Laurentiu Pancescu <lpancescu at gmail.com> wrote: > Hi there, > > I've been looking at making it easier for Vagrant users to verify our images > when adding them. The Vagrant documentation mentions that the checksum can > be added to the box metadata[1], and that this is done automatically if you > build the box on Atlas - indeed, the source code shows they are verifying a > checksum from the downloaded metadata[2]. > > Unfortunately, Atlas does not seem to provide such a checksum for any of the > boxes I checked - neither those hosted by them, like debian/jessie64, nor > external ones like ours' or Fedora's. The Bento boxes seemed to offer a > checksum, but that's just their complete JSON metadata somehow ending up in > the description field on Atlas (I assume that's an automatic step not doing > what the Bento developers intended - I saw no message about verifying the > checksum when adding bento/debian-8.7). > > We already host the images on cloud.centos.org. We could also generate the > needed JSON metadata (we only need one file for all centos/7 images, and one > for centos/6), including the SHA256 checksums. We could also create two > Apache aliases (e.g. cloud.centos.org/vagrant/7) to make life easier for our > users - after an initial "vagrant box add > https://cloud.centos.org/vagrant/7", which would prove the checksum > automatically, they would also be notified when new images appear and be > able to use "vagrant box update centos/7", just like they do now. > > This would allow us to even move away from Atlas, if desired. We would > finally be able to completely automate our Vagrant releases, instead of > manually adding the releases to Atlas every month, and not even having > embedded checksums. There was an Atlas CLI that proved not to work as > expected: our 1701 and 1702 releases didn't end up on Atlas, we had to > intervene. The big question is how we could communicate this to our users, > not the technical side: I already tested this with a local webserver, > serving the centos/7 JSON downloaded from Atlas, which I edited to add an > SHA256 checksum - Vagrant automatically verified the checksum after the > download was finished. > > Any thoughts? > > Laurențiu > > > [1] https://www.vagrantup.com/docs/boxes/format.html#box-metadata > [2] > https://github.com/mitchellh/vagrant/blob/master/lib/vagrant/action/builtin/box_add.rb#L136-L145 > _______________________________________________ > CentOS-devel mailing list > CentOS-devel at centos.org > https://lists.centos.org/mailman/listinfo/centos-devel Hi Laurențiu I think there is still some benefit to maintaining a presence on Atlas if possible, as it is where Vagrant users are likely to search for CentOS boxes first. But hosting the metadata on the CentOS infrastructure makes a lot of sense for the reasons you mentioned. I guess you could maybe leave a final release in Atlas pointing people to the new location when it's available. By the way, from what I can understand from the commit history [1], it looks like the Bento metadata was added for a similar reason, to allow them to consider standing up their own metadata server in place of Atlas. [1] https://github.com/chef/bento/pull/387