Merge pull request #334 from shiftstack/synk

CARRY: add comment to .snyk about Glance

Author: openshift-merge-bot[bot]

.snyk

@@ -8,7 +8,13 @@ exclude:
     - "hack/**"
     - "test/**"
     - "**/*_test.go"
-    # Here we skip warnings about the fact md5 and sha1 is being used to check images checksums.
-    # Ignoring these errors doesn't seem to work with the "ignore:" interface so let's just skip
-    # this file for now.
+    # TODO: use the `ignore:` interface to be more specific on what issues we want to ignore but it doesn't seem to work.
+    #
+    # This file handle Glance image upload in CAPO.
+    # This code intentionally supports insecure hash algorithms, because for public images the consumer can't, in practise,
+    # influence the hash algorithm presented. If the only published hash is MD5 it's more secure to check it than not
+    # check it, so we support MD5.
+    # Incidentally, Glance only directly supports SHA512. This is wildly impractical as almost nobody publishes this:
+    # SHA256 is most common in practise. Also Glance publishes a hash of something that isn't guaranteed to be what it downloaded.
+    # Also there's no way to determine via the API if it's going to do this. Glance hash verification is unusable.
     - 'internal/controllers/image/upload_helpers.go'