summaryrefslogtreecommitdiff
path: root/releasenotes/notes/multihash-download-verification-596e91bf7b68e7db.yaml
blob: f32b4a9eaf239359b0ae633943563d615f160d50 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

---
features:
  - |
    This release adds verification of image data downloads using the Glance
    "multihash" feature introduced in the OpenStack Rocky release.  When
    the ``os_hash_value`` is populated on an image, the glanceclient will
    verify this value by computing the hexdigest of the downloaded data
    using the algorithm specified by the image's ``os_hash_algo`` property.

    Because the secure hash algorithm specified is determined by the cloud
    provider, it is possible that the ``os_hash_algo`` may identify an
    algorithm not available in the version of the Python ``hashlib`` library
    used by the client.  In such a case the download will fail due to an
    unsupported hash type.  In the event this occurs, a new option,
    ``--allow-md5-fallback``, is introduced to the ``image-download`` command.
    When present, this option will allow the glanceclient to use the legacy
    MD5 checksum to verify the downloaded data if the secure hash algorithm
    specified by the ``os_hash_algo`` image property is not supported.

    Note that the fallback is *not* used in the case where the algorithm is
    supported but the hexdigest of the downloaded data does not match the
    ``os_hash_value``.  In that case the download fails regardless of whether
    the option is present or not.

    Whether using the ``--allow-md5-fallback`` option is a good idea depends
    upon the user's expectations for the verification.  MD5 is an insecure
    hashing algorithm, so if you are interested in making sure that the
    downloaded image data has not been replaced by a datastream carefully
    crafted to have the same MD5 checksum, then you should not use the
    fallback.  If, however, you are using Glance in a trusted environment
    and your interest is simply to verify that no bits have flipped during
    the data transfer, the MD5 fallback is sufficient for that purpose.  That
    being said, it is our recommendation that the multihash should be used
    whenever possible.
security:
  - |
    This release of the glanceclient uses the Glance "multihash" feature,
    introduced in Rocky, to use a secure hashing algorithm to verify the
    integrity of downloaded data.  Legacy images without the "multihash"
    image properties (``os_hash_algo`` and ``os_hash_value``) are verified
    using the MD5 ``checksum`` image property.
View Lorry Controller Status