It's 2021 and md5 has been insufficient as a cryptographic hash for years; as of 2008 CERT declared MD5 "cryptographically broken and unsuitable for further use"[1]. Minimal streams were created after this and therefore md5 sums are intentionally omitted. For standard image streams md5 sums should be removed before another 10 year LTS is released considering supply chain security concerns and simplestreams updated to only accept sha256 or greater. Given the timeframe for LTS support NIST 2020 recommendations[2] would point to SHA-384 or SHA-512. [1] https://www.kb.cert.org/vuls/id/836068 [2] https://www.keylength.com/en/4/ On Thu, Oct 7, 2021 at 9:56 AM Corey Bryant wrote: > @John, thanks for taking a look. The simplestreams code [1] seems to > validate based on md5, so perhaps it should be validating images based on > sha256. > [1] > https://git.launchpad.net/simplestreams/tree/simplestreams/mirrors/glance.py > > ** Also affects: simplestreams > Importance: Undecided > Status: New > > -- > You received this bug notification because you are subscribed to cloud- > images. > Matching subscriptions: cloud-images > https://bugs.launchpad.net/bugs/1933966 > > Title: > sync-images fails with Invalid glance image: . Expected size= > md5=None. Found size= md5= > > Status in OpenStack glance-simplestreams-sync charm: > New > Status in charm-octavia-diskimage-retrofit: > Triaged > Status in cloud-images: > New > Status in simplestreams: > New > > Bug description: > Visible in this gate: > > https://review.opendev.org/c/openstack/charm-octavia-diskimage-retrofit/+/778995 > > https://openstack-ci-reports.ubuntu.com/artifacts/d09/778995/5/check/bionic-ussuri/d092848/job-output.txt > > zaza.model.ActionFailed: Run of action "sync-images" with parameters > "" on "glance-simplestreams-sync/0" failed with "exit status 1" > (id=36 status=failed enqueued=2021-06-28T16:55:10Z > started=2021-06-28T16:55:11Z completed=2021-06-28T16:55:28Z output={'Code': > '1', 'Stderr': > '/usr/lib/python2.7/dist-packages/keystoneauth1/adapter.py:179: > UserWarning: Using keystoneclient sessions has been deprecated. Please > update your software to use keystoneauth1.\n warnings.warn(\'Using > keystoneclient sessions has been deprecated. \'\nTraceback (most recent > call last): > File "/snap/simplestreams/27/bin/sstream-mirror-glance", line 185, in > > main() > File "/snap/simplestreams/27/bin/sstream-mirror-glance", line 181, in > main > tmirror.sync(smirror, args.path) > File > "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/__init__.py", > line 91, in sync > return self.sync_index(reader, path, data, content) > File > "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/__init__.py", > line 254, in sync_index > self.sync(reader, path=epath) > File > "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/__init__.py", > line 89, in sync > return self.sync_products(reader, path, data, content) > File > "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/__init__.py", > line 360, in sync_products > (prodname, vername)) > File > "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/glance.py", > line 582, in insert_version > self._insert_item(*iargs) > File > "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/glance.py", > line 501, in _insert_item > self.validate_image(glance_image.id, new_md5, new_size) > File > "/snap/simplestreams/27/lib/python3.6/site-packages/simplestreams/mirrors/glance.py", > line 537, in validate_image > raise IOError(msg) > OSError: Invalid glance image: 3c4b49a4-a4c9-4b84-95eb-dbf0ce3d1e83. > Expected size=172883968 md5=None. Found size=172883968 > md5=078ff054bceec76f66ffeaa748f9f2e5. > ', 'Stdout': 'sending incremental file > list\nstreams/\nstreams/v1/\nstreams/v1/auto.sync.json\nstreams/v1/index.json\n\nsent > 1,230 bytes received 66 bytes 2,592.00 bytes/sec\ntotal size is 2,535 > speedup is 1.96\n'}) > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/charm-glance-simplestreams-sync/+bug/1933966/+subscriptions > >