ubuntu-cloud template: use simplestreams to add integrity verification
Bug #1182458 reported by
Serge Hallyn
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| lxc (Ubuntu) |
Fix Released
|
Medium
|
Scott Moser | ||
Bug Description
Currently we wget the ubuntu-cloud template without any integrity verification. We then proceed to execute binaries like /bin/passwd while still in the ubuntu-cloud template (in a chroot, but without any effective containment). We should be verifying that the image we download has not been tampered with.
| Changed in lxc (Ubuntu): | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| assignee: | nobody → Scott Moser (smoser) |
Revision history for this message
| Stéphane Graber (stgraber) wrote | #1 |
| Changed in lxc (Ubuntu): | |
| status: | Triaged → Fix Released |
To post a comment you must log in.
The current donwload template model to download those images does do both https and gpg validation.