Bug 1632132
| Summary: | RFE: verify downloaded kernel/initrd with distro specific checksums/gpgkeys | ||
|---|---|---|---|
| Product: | [Community] Virtualization Tools | Reporter: | Guido Günther <agx> |
| Component: | virt-manager | Assignee: | Cole Robinson <crobinso> |
| Status: | CLOSED DEFERRED | QA Contact: | |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | unspecified | CC: | berrange, crobinso, gscrivan |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-09-15 19:43:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I have no plans to implement this but if someone showed up with patches I will be happy to review them We are closing this tracker and using github issues for upstream virt-manager going forward. This particular issue would be nice to fix but unless someone shows up with patches I don't expect it to happen anytime soon. It will also take some thought about how to share this logic with libosinfo. I'm not interested in adding more URL fetching magic to virt-install specifically, we should be trying to find a way to standardize this stuff. If you're still interested in this feature please file a bug in the upstream tracker |
Description of problem: virt-install downloads from untrusted (http:) locations without verification. Version-Release number of selected component (if applicable): all versions up to 1.5.1 How reproducible: virt-install --connect=qemu:///system --location=http://ftp.us.debian.org/debian/dists/stable/main/installer\-amd64 --name test --ram=512 Actual results: The checksums of the downloaded files are not verified. Expected results: Checksums of the downloaded files should be checked verified via http://ftp.us.debian.org/debian/dists/stable/Release which again is gpg signed (http://ftp.us.debian.org/debian/dists/stable/Release.gpg). Additional info: This came up on the mailing list before https://www.redhat.com/archives/virt-tools-list/2015-April/msg00214.html