To be clear, LXD never pulls from unsafe sources and doesn't even have http download code outside of the separate simplestream downloader (which will only download over http files it can hash safely from index data it got over https). Our https download code is also stricter than most, requiring the use of known safe ciphers and recent version of the TLS protocol.
Enabling self-signed https is rather trivial to do and once done, the LXD API and its command line client will let you safely indicate what certificate is valid for that remote, making it perfectly safe for LXD to then pull in such an environment, without leaking identifiable information or allowing man in the middle attacks on the network. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1659418 Title: lxd-client should accept images from non-SSL URLs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1659418/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
