Does sftp eliminate the need to check sha1sum?

Adam Israel adam.israel at canonical.com
Wed Jan 13 19:04:08 UTC 2016 

That sounds about right, yes. I’m not sure the specific steps we’d need to suggest to the developer to take to do that, but it would be worthwhile to do that so we can make better recommendations for situations like this in the future.

--
Adam Israel - Software Engineer
Canonical Ltd.
http://juju.ubuntu.com/ - Automate your Cloud Infrastructure

> On Jan 13, 2016, at 1:59 PM, Tom Barber <tom at analytical-labs.com> wrote:
> 
> Surely it only prevent man in the middle if it does cert checking as well? If I just fired up SFTP and downloaded a file it could be from anywhere still. SFTP on most boxes encrypts the traffic but doesn't validate the certificate  (unless it changes of course)
> 
> On 13 Jan 2016 18:56, "Adam Israel" <adam.israel at canonical.com <mailto:adam.israel at canonical.com>> wrote:
> No, I don’t believe using SFTP is sufficient alone. Using a secure transfer protocol is good for preventing a man-in-the-middle attack but doesn’t do anything if the source binary, i.e., hosted on the "trusted" server, has been modified.
> 
> Adam Israel - Software Engineer
> Canonical Ltd.
> http://juju.ubuntu.com/ <http://juju.ubuntu.com/> - Automate your Cloud Infrastructure
> 
>> On Jan 13, 2016, at 1:46 PM, Matt Bruzek <matthew.bruzek at canonical.com <mailto:matthew.bruzek at canonical.com>> wrote:
>> 
>> I recently reviewed a charm that is using sftp to download the binary files with a username and password.  The charm does not check the sha1sum of these files.
>> 
>> The Charm Store Policy states:  Must verify that any software installed or utilized is verified as coming from the intended source
>> 
>> https://jujucharms.com/docs/stable/authors-charm-policy <https://jujucharms.com/docs/stable/authors-charm-policy>
>> 
>> Does using sftp eliminate the need to check the sha1sum of the files downloaded?
>> 
>> What does the Juju community say to this question?
>> 
>>    - Matt Bruzek <matthew.bruzek at canonical.com <mailto:matthew.bruzek at canonical.com>>
>> -- 
>> Juju mailing list
>> Juju at lists.ubuntu.com <mailto:Juju at lists.ubuntu.com>
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju <https://lists.ubuntu.com/mailman/listinfo/juju>
> 
> 
> --
> Juju mailing list
> Juju at lists.ubuntu.com <mailto:Juju at lists.ubuntu.com>
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju <https://lists.ubuntu.com/mailman/listinfo/juju>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju/attachments/20160113/9645ed71/attachment.html>

More information about the Juju mailing list