Yeah, I do agree that there is a fine line between what Libcloud should be responsible for and what not.
As far as those two points go: 1. I think public key validation is not much different than any other argument validation we do. 2. Yes, this one is debatable :) We personally can't (and shouldn't) try to protect our users from every potentially dangerous thing they can do, but I think that warning users about installing potentially weak key is something we can do with a very little effort so we probably should do it. On Tue, Oct 29, 2013 at 3:19 AM, Jerry Chen <[email protected]> wrote: > > On Oct 28, 2013, at 5:55 PM, Tomaz Muraus <[email protected]> wrote: > > > Currently we don't do any kind of ssh key validation inside > > the SSHKeyDeployment class. > > > > I think it would be useful to do the following: > > > > 1. Validate the SSH key format and make sure it's valid. > > 2. Validate size of the RSA keys and error out on potentially weak (<= > 1024 > > bits) keys. This would be done to increase security consciousness and > > discourage people from using weak keys. > > > > Here is a very quick and simple prototype - > > https://github.com/apache/libcloud/pull/170 > > > > Do you think something like this would be a useful addition to the core? > > I think it'd certainly be a nice feature but Libcloud shouldn't be > responsible for SSH validation or recommendations for weak keys, IMHO. > > Jerry > >
