Deprecate the 'checksum' image property

Depends-on: https://review.opendev.org/#/c/708761/ Change-Id: If67fe7ad9caed8d3d2fd4e6f84bd31f7a67695f7 (cherry picked from commit 4a64d97)
openstack · Apr 27, 2020 · fc3e14b · fc3e14b
1 parent 4c5f629
commit fc3e14b
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/releasenotes/notes/deprecate-checksum-a602853403e1c4a8.yaml b/releasenotes/notes/deprecate-checksum-a602853403e1c4a8.yaml
@@ -0,0 +1,23 @@
+---
+deprecations:
+  - |
+    The Image ``checksum`` property contains an MD5 hash of the image data
+    associated with an image.  MD5 has not been considered secure for some
+    time, and in order to comply with various security standards (for
+    example, FIPS), an implementation of the MD5 algorithm may not be
+    available on glance nodes.
+
+    The secure "multihash" image properties, ``os_hash_algo`` and
+    ``os_hash_value`` have been available on images since glance
+    version 17.0.0 (Rocky).  Until this point, the MD5 ``checksum``
+    property has been populated solely for backward compatability.  It
+    is not, however, necessary for validating downloaded image data.
+
+    Thus, we are announcing the DEPRECATION in this release of the
+    image ``checksum`` property.  It will remain as an image property,
+    but beginning with the Victoria release, the ``checksum`` will *not*
+    be populated on new images.
+
+    Users should instead rely on the secure "multihash" to validate image
+    downloads.  The python-glanceclient, for example, has been using multihash
+    validation (with an optional MD5 fallback) since version 2.13.0 (Rocky).