So no one is interested on verifiying the intergrity of the Vagrant Cloud boxes ? ;)
Le vendredi 10 novembre 2017 11:40:32 UTC+1, emmanuel.ka...@gmail.com a écrit : > > Hi ! > I am one of the Debian developper releasing the Vagrant base boxes > available in as debian/stretch64 on app.vagrantup.com > > One user recently reported to us that when using the `vagrant add` > command, any madeup checksum given with `--checksum` would be considered as > valid. > > Looking at the fine manual at > https://www.vagrantup.com/docs/cli/box.html#options-for-direct-box-files > > ``` > Checksums for versioned boxes or boxes from HashiCorp's Vagrant Cloud: For > boxes from HashiCorp's Vagrant Cloud, the checksums are embedded in the > metadata of the box. The metadata itself is served over TLS and its format > is validated. > ``` > > I see two issues : > > * shouldn't the `vagrant add` command fails when `--checksum` is used and > the box is added from VagrantCloud ? > > * generally, how could we (Vagrant box maintainers) generate a checksum > as and have it verified when downloading a box ? > I know it's possible to grok the link from `vagrant add`, download the box > with curl, > and add the box locally, but it kinds of defeats the purpose of having a > central registry (versioning, etc ...) > This kind of checksumming is important because I am signing the checksums > with a GPG key available in the Debian keyring, building a direct trust > link with end users. > > Debian is not the only one having a problem here, I talked to the > maintainer of the Centos Vagrant boxes, and Centos Boxes have exactly the > same issue: if you follow the instructions from > https://seven.centos.org/2017/10/updated-centos-vagrant-images-available-v1710-01/ > > and replace the checksum with `1234`, `vagrant add` will add the box > without any error. > -- This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list. GitHub Issues: https://github.com/mitchellh/vagrant/issues IRC: #vagrant on Freenode --- You received this message because you are subscribed to the Google Groups "Vagrant" group. To unsubscribe from this group and stop receiving emails from it, send an email to vagrant-up+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/vagrant-up/55eef529-3ac0-49ff-8ead-76d1893be6cd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.