Description of problem: virt-install downloads from untrusted (http:) locations without verification. Version-Release number of selected component (if applicable): all versions up to 1.5.1 How reproducible: virt-install --connect=qemu:///system --location=http://ftp.us.debian.org/debian/dists/stable/main/installer\-amd64 --name test --ram=512 Actual results: The checksums of the downloaded files are not verified. Expected results: Checksums of the downloaded files should be checked verified via http://ftp.us.debian.org/debian/dists/stable/Release which again is gpg signed (http://ftp.us.debian.org/debian/dists/stable/Release.gpg). Additional info: This came up on the mailing list before https://www.redhat.com/archives/virt-tools-list/2015-April/msg00214.html
I have no plans to implement this but if someone showed up with patches I will be happy to review them
We are closing this tracker and using github issues for upstream virt-manager going forward. This particular issue would be nice to fix but unless someone shows up with patches I don't expect it to happen anytime soon. It will also take some thought about how to share this logic with libosinfo. I'm not interested in adding more URL fetching magic to virt-install specifically, we should be trying to find a way to standardize this stuff. If you're still interested in this feature please file a bug in the upstream tracker