On 27/03/19 19:08, Wainer dos Santos Moschetta wrote: > > > On 03/27/2019 01:15 PM, Paolo Bonzini wrote: >> On 27/03/19 17:05, Daniel P. Berrangé wrote: >>> On Wed, Mar 27, 2019 at 04:58:23PM +0100, Paolo Bonzini wrote: >>>> On 27/03/19 16:30, Daniel P. Berrangé wrote: >>>>> Perhaps the VM test scripts should do a "HEAD" request for the image >>>>> every time to discover if it has been changed on the server, before >>>>> honouring the local cache. >>>> Another possibility is to first download the shasum from >>>> download.patchew.org, and compare _that_ against the one that is stored >>>> locally, instead of hardcoding it in QEMU's repository. >>> Personally I prefer the idea of having the shasum stored in the repo. >>> >>> That means that if we update git master to point to a newer image, >>> previous stable branches will stick with their original image, rather >>> than using a new image that may be incompatible with the stable branch >>> >>> Storing hash in git also means that if someone compromised the patchew >>> server, they can't cause developer to run compromised images, without >>> first also compromising git to change the hash. >> The two are not mutually exclusive. We can warn if the hash doesn't >> match against the one in QEMU, add a --force option, or whatever. > > I'm about to send a patch to make vm-test work with Python3. I can work > on that image checking mechanism you folks have discussed, unless > someone is already working on it.
Absolutely not, go for it! Paolo
