glance/releasenotes/notes/deprecate-checksum-a602853403e1c4a8.yaml
Brian Rosmaita 4a64d976e7 Deprecate the 'checksum' image property
Depends-on: https://review.opendev.org/#/c/708761/
Change-Id: If67fe7ad9caed8d3d2fd4e6f84bd31f7a67695f7
2020-04-07 11:15:43 -04:00

24 lines
1.1 KiB
YAML

---
deprecations:
- |
The Image ``checksum`` property contains an MD5 hash of the image data
associated with an image. MD5 has not been considered secure for some
time, and in order to comply with various security standards (for
example, FIPS), an implementation of the MD5 algorithm may not be
available on glance nodes.
The secure "multihash" image properties, ``os_hash_algo`` and
``os_hash_value`` have been available on images since glance
version 17.0.0 (Rocky). Until this point, the MD5 ``checksum``
property has been populated solely for backward compatability. It
is not, however, necessary for validating downloaded image data.
Thus, we are announcing the DEPRECATION in this release of the
image ``checksum`` property. It will remain as an image property,
but beginning with the Victoria release, the ``checksum`` will *not*
be populated on new images.
Users should instead rely on the secure "multihash" to validate image
downloads. The python-glanceclient, for example, has been using multihash
validation (with an optional MD5 fallback) since version 2.13.0 (Rocky).