Excerpts from Adam Heath's message of 2016-08-10 17:34:36 -0500: > On 08/10/2016 05:18 PM, Clint Byrum wrote: > > I think a fixed URL for downloading images of major versions would in > > fact be good. But you still need to verify the integrity of that image, > > for the internet is dark, and full of terrors. > > > > Verification of the existing images has to happen regardless; having a > stable url has nothing at all to do with that. You're conflating issues.
Correct that the verification has to happen. But, the OP was suggesting that he just tells OpenStack's glance service to download these images directly from the internet on his hypervisor hosts (which is what --location does). This means that no verification happens before the VM boots. The image is downloaded, turned into a filesystem for a VM, and booted, without ever having consulted a list of cryptographic hashes, gpg key, or even a crc32. :-/
