os.proto package verification question

[aaronmillisor]

In the os.proto definition there is a suggestion that the transferred file should check the hash of the image against a known good hash, with the hash ideally being embedded in the package itself.

https://github.com/openconfig/gnoi/blob/master/os/os.proto#L33

  // The OS package file format is platform dependent. The platform MUST
  // validate that the OS package that is supplied is valid and bootable. This
  // SHOULD include a hash check against a known good hash. It is recommended
  // that the hash is embedded in the OS package.

Assuming that the hash we are discussing is something like an md5sum of the image we are transferring, how is a previous version of an OS image expected to know the hash of a future image? Also, how would the hash be expected to be included within the image against which the hash is being checked?

[samribeiro]

Hi @aaronmillisor, there are no expectations about a previous OS version having any knowledge regarding future OS binary hashes. Anything after SHOULD is a recommendation and is up to the platform to implement at their own preference, as long as the end goal of validating that the uploaded binary is valid and bootable, is achieved.

While reading this section I do agree that it can be further improved to communicate this idea better.