Debian Bug report logs - #878759
no way to verify debian vagrant boxes

Package: cloud.debian.org; Maintainer for cloud.debian.org is Debian Cloud Team <debian-cloud@lists.debian.org>;

Reported by: Michael Pöhn <michael.poehn@fsfe.org>

Date: Mon, 16 Oct 2017 13:54:05 UTC

Severity: normal

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Cloud Team <debian-cloud@lists.debian.org>:
Bug#878759; Package cloud.debian.org. (Mon, 16 Oct 2017 13:54:07 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Pöhn <michael.poehn@fsfe.org>:
New Bug report received and forwarded. Copy sent to Debian Cloud Team <debian-cloud@lists.debian.org>. (Mon, 16 Oct 2017 13:54:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Pöhn <michael.poehn@fsfe.org>
To: submit@bugs.debian.org
Subject: no way to verify debian vagrant boxes
Date: Mon, 16 Oct 2017 15:45:20 +0200
Package: cloud.debian.org

There is no way to verify authenticity of vagrant boxes hosted on Atlas
(hashicorps image hosting service). For example running this command
with a completely fabricated fingerprint installs a Debian box without
any error message or warning:

     vagrant box add \
     --checksum 1234567890123456789012345678901234567890123456789012345678901234 \
     --checksum-type sha256 debian/jessie64

While I understand that official vagrant docs state that this is
intended behavior[1]. (Probably because when a new box version becomes
available the checksum changes). This renders all atlas-hosted vagrant
boxes unverifiable. `vagrant box add` unpacks .box files so users don't
have a chance to verify the box file manually.

thanks and best regards,
Michael

[1] https://www.vagrantup.com/docs/cli/box.html#options-for-direct-box-files

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Cloud Team <debian-cloud@lists.debian.org>:
Bug#878759; Package cloud.debian.org. (Fri, 03 Nov 2017 10:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to emmanuel@libera.cc:
Extra info received and forwarded to list. Copy sent to Debian Cloud Team <debian-cloud@lists.debian.org>. (Fri, 03 Nov 2017 10:15:03 GMT) (full text, mbox, link).

Message #10 received at 878759@bugs.debian.org (full text, mbox, reply):

From: emmanuel@libera.cc
To: 878759@bugs.debian.org
Subject: (pas d'objet)
Date: Fri, 03 Nov 2017 11:06:21 +0100
Indeed checksum verifycation does not work when vagrant box add refers 
to a cloud based box.

Looking at:
 
https://www.vagrantup.com/docs/cli/box.html#options-for-direct-box-files

it seems the checksum should be embedded in the box metadata.

We probably need to improve the build process here.

In the meantime, you can donwload the box the boxes via wget, and add 
them locally as a workaround, ie:

$ wget 
https://vagrantcloud.com/debian/boxes/stretch64/versions/9.2.0/providers/virtualbox.box

$ vagrant box add --name debian/stretch64  --provider virtualbox 
--checksum 
3625435cbc6ace0a033f64e9495de65286d92d6560dfefe9239a3f9ab02f98a1 
--checksum-type sha256 virtualbox.box

==> box: Box file was not detected as metadata. Adding it directly...
==> box: Adding box 'debian/stretch64' (v0) for provider: virtualbox
    box: Unpacking necessary files from: 
file:///home/manu/Projects/vagrenvs/stable/virtualbox.box
    box: Calculating and comparing box checksum...
The checksum of the downloaded box did not match the expected
value. Please verify that you have the proper URL setup and that
you're downloading the proper file.

Expected: 
3625435cbc6ace0a033f64e9495de65286d92d6560dfefe9239a3f9ab02f98a1
Received: 
3625435cbc6ace0a033f64e9495de65286d92d6560dfefe9239a3f9ab02f98a0

here the box is compared against the expected checksum and fails in case 
of mismatch.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Cloud Team <debian-cloud@lists.debian.org>:
Bug#878759; Package cloud.debian.org. (Fri, 10 Nov 2017 11:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to Emmanuel Kasper <manu@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Cloud Team <debian-cloud@lists.debian.org>.

Your message did not contain a Subject field. They are recommended and useful because the title of a Bug is determined using this field. Please remember to include a Subject field in your messages in future.

(Fri, 10 Nov 2017 11:09:03 GMT) (full text, mbox, link).

Message #15 received at 878759@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Kasper <manu@debian.org>
To: 878759@bugs.debian.org
Date: Fri, 10 Nov 2017 11:46:07 +0100
I reported the issue upstream in the vagrant cloud google group
https://groups.google.com/forum/#!topic/vagrant-up/V0E4PAajM-g

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 12 13:12:54 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.