On 03/27/2019 01:15 PM, Paolo Bonzini wrote:
On 27/03/19 17:05, Daniel P. Berrangé wrote:
On Wed, Mar 27, 2019 at 04:58:23PM +0100, Paolo Bonzini wrote:
On 27/03/19 16:30, Daniel P. Berrangé wrote:
Perhaps the VM test scripts should do a "HEAD" request for the image
every time to discover if it has been changed on the server, before
honouring the local cache.
Another possibility is to first download the shasum from
download.patchew.org, and compare _that_ against the one that is stored
locally, instead of hardcoding it in QEMU's repository.
Personally I prefer the idea of having the shasum stored in the repo.
That means that if we update git master to point to a newer image,
previous stable branches will stick with their original image, rather
than using a new image that may be incompatible with the stable branch
Storing hash in git also means that if someone compromised the patchew
server, they can't cause developer to run compromised images, without
first also compromising git to change the hash.
The two are not mutually exclusive. We can warn if the hash doesn't
match against the one in QEMU, add a --force option, or whatever.
I'm about to send a patch to make vm-test work with Python3. I can work
on that image checking mechanism you folks have discussed, unless
someone is already working on it.
- Wainer
Also, I have now created symlinks by hash at
http://download.patchew.org/by-sha256sum in case someone finds them useful.
Paolo