)]}'
{"deployment/barbican/barbican-client-puppet.yaml":[{"author":{"_account_id":21129,"name":"Alan Bishop","email":"abishopsweng@gmail.com","username":"ASBishop","status":"ex Red Hat"},"change_message_id":"ed8b38946ee787cb5641f76b83abd3e3052825a6","unresolved":true,"context_lines":[{"line_number":39,"context_line":"      service_name: barbican_client"},{"line_number":40,"context_line":"      service_config_settings:"},{"line_number":41,"context_line":"        nova_compute:"},{"line_number":42,"context_line":"          nova::compute::verify_glance_signatures: true"},{"line_number":43,"context_line":"          nova::compute::keymgr_backend: barbican"},{"line_number":44,"context_line":"          nova::compute::barbican_endpoint:"},{"line_number":45,"context_line":"            get_param: [EndpointMap, BarbicanInternal, uri]"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"9c0ca324_0304515f","line":42,"updated":"2021-07-19 21:23:17.000000000","message":"I\u0027ll let the nova folks vote on whether unilaterally enabling image verification is a good idea, but it should not be done this way. There\u0027s a THT parameter [1] that governs this setting, and forcing the value to True here will causes things to get out of sync. A better approach would be to update a barbican THT env file and override the VerifyGlanceSignatures value.\n\n[1] https://opendev.org/openstack/tripleo-heat-templates/src/branch/master/deployment/nova/nova-compute-container-puppet.yaml#L370","commit_id":"df768b7c8693d30bfc5b1ef817f548b5af2c17e1"},{"author":{"_account_id":17216,"name":"Martin Schuppert","email":"mschuppert@redhat.com","username":"mcschupp"},"change_message_id":"d498c47fe807ec27429206b43e63a49e23618afc","unresolved":true,"context_lines":[{"line_number":39,"context_line":"      service_name: barbican_client"},{"line_number":40,"context_line":"      service_config_settings:"},{"line_number":41,"context_line":"        nova_compute:"},{"line_number":42,"context_line":"          nova::compute::verify_glance_signatures: true"},{"line_number":43,"context_line":"          nova::compute::keymgr_backend: barbican"},{"line_number":44,"context_line":"          nova::compute::barbican_endpoint:"},{"line_number":45,"context_line":"            get_param: [EndpointMap, BarbicanInternal, uri]"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"8f8053e4_061b4a77","line":42,"in_reply_to":"9c0ca324_0304515f","updated":"2021-07-20 06:03:04.000000000","message":"I agree with Alan. We should not force the verification like this. A parameter should be used (which looks like we already have) and either set the default to true if we think it should be enabled per default or use an env file.","commit_id":"df768b7c8693d30bfc5b1ef817f548b5af2c17e1"}]}