[CentOS-devel] Vagrant ignores checksums, instead of validating them

On 11/11/17 16:42, Marcin Dulak wrote:
> is this an open bug against vagrant?
> By reading
> https://github.com/hashicorp/vagrant/issues/8714#issuecomment-311240889 it
> seems that vagrant people are providing checksum verification

It is rather a missing feature of Atlas (the Vagrant check exists and 
works correctly if you are pointing "vagrant add" to a JSON file on your 
own web server, like the JSON files Endymion is generating - I tested 
that extensively back then).  The Atlas web interface only allows you to 
specify a description for the box, and, for each version, release notes 
and download links for each provider.  Atlas generates a JSON file based 
on that information - there's no way to specify a checksum anywhere 
(including the checksum in the metadata.json inside the .box file 
doesn't work).  The Atlas API won't let you specify checksums either, 
just a name and url:

https://www.vagrantup.com/docs/vagrant-cloud/api.html#providers


Not even the newest release of Hashicorp's own Vagrant images provide 
the necessary checksums:

$ curl https://app.vagrantup.com/hashicorp/boxes/ubuntu-10.04-i386 | 
python3 -m json.tool
   % Total    % Received % Xferd  Average Speed   Time    Time     Time 
Current
                                  Dload  Upload   Total   Spent    Left 
Speed
100   330    0   330    0     0    330      0 --:--:--  0:00:01 --:--:-- 
   238
{
     "description": "",
     "short_description": "",
     "name": "hashicorp/ubuntu-10.04-i386",
     "versions": [
         {
             "version": "0.1.0",
             "status": "active",
             "description_html": null,
             "description_markdown": "",
             "providers": [
                 {
                     "name": "vmware_desktop",
                     "url": 
"https://vagrantcloud.com/hashicorp/boxes/ubuntu-10.04-i386/versions/0.1.0/providers/vmware_desktop.box"
                 }
             ]
         }
     ]
}