Just a quick update / follow-up. DigitalOcean updated their blog post[1][2]. The updated post says that scrubbing is now enabled by default for all the newly issued destroy requests:
> All Destroys Default to Scrub > We have updated the destroy method to scrub on all destroys, both for > web and API requests. This means that no action is required on the client side and upgrading to 0.13.3 should not be necessary anymore. [1]: https://twitter.com/digitalocean/status/418140046265294848 [2]: https://digitalocean.com/blog_posts/transparency-regarding-data-security On Tue, Dec 31, 2013 at 3:45 PM, Tomaz Muraus <[email protected]> wrote: > Libcloud is a Python library that abstracts away the differences among > multiple cloud provider APIs. It allows users to manage cloud services > (servers, storage, load balancers, DNS) offered by many different providers > through a single, unified and easy to use API. > > This is a security-fix only release. It fixes a security issue with a > potential > leak of data contained on a destroyed DigitalOcean node. Only users who are > using a DigitalOcean driver are affected. > > DigitalOcean recently changed the default API behavior from scrub to > non-scrub > when destroying a VM without notifying the customers and API consumers. > > Libcloud prior to this release doesn't explicitly send "scrub_data" query > parameter when destroying a node. This means nodes which are destroyed using > Libcloud are vulnerable to later customers stealing data contained on them. > > This release fixes that by always sending "scrub_data" query parameter when > destroying a DigitalOcean node. > > If you are using a DigitalOcean driver, you are strongly encouraged to > upgrade > (or downgrade if you are using 0.14.0-beta3 beta release) to this release. > > More information is available on our "Security" page - > https://libcloud.apache.org/security.html > > Download > > Libcloud 0.13.3 can be downloaded from > http://libcloud.apache.org/downloads.html > > or installed using pip: > > pip install apache-libcloud==0.13.3 > > It is possible that the file hasn't been synced to all the mirrors yet. If > this > is the case, please use the main Apache mirror - > https://www.apache.org/dist/libcloud. > > Upgrading > > If you have installed Libcloud using pip you can also use it to upgrade it: > > pip install --upgrade apache-libcloud==0.13.3 > > Upgrade notes > > A page which describes backward incompatible or semi-incompatible > changes and how to preserve the old behavior when this is possible > can be found at > https://libcloud.readthedocs.org/en/latest/upgrade_notes.html > > Documentation > > Regular and API documentation is available at > https://libcloud.readthedocs.org/en/latest/. > > Bugs / Issues > > If you find any bug or issue, please report it on our issue tracker > <https://issues.apache.org/jira/browse/LIBCLOUD>. > Don't forget to attach an example and / or test which reproduces your > problem. > > Thanks > > Thanks to everyone who contributed and made this release possible! > > Full list of people who contributed to this release can be found in the > CHANGES > file > <https://git-wip-us.apache.org/repos/asf?p=libcloud.git;a=blob;f=CHANGES;h=a06b0ed4c443f9f56784572a4e291e779de599e3;hb=a1fdac91ec9fdf699d77f9f9b01699de7f56171e#l3>.
