Does sftp eliminate the need to check sha1sum?
Jay Wren
jay.wren at canonical.com
Wed Jan 13 19:11:32 UTC 2016
StrictHostKeyChecking and shipping the public key of the ssh host with
the charm does seem to meet the criteria of verifying the intended
source.
On Wed, Jan 13, 2016 at 1:46 PM, Matt Bruzek
<matthew.bruzek at canonical.com> wrote:
> I recently reviewed a charm that is using sftp to download the binary files
> with a username and password. The charm does not check the sha1sum of these
> files.
>
> The Charm Store Policy states: Must verify that any software installed or
> utilized is verified as coming from the intended source
>
> https://jujucharms.com/docs/stable/authors-charm-policy
>
> Does using sftp eliminate the need to check the sha1sum of the files
> downloaded?
>
> What does the Juju community say to this question?
>
> - Matt Bruzek <matthew.bruzek at canonical.com>
>
> --
> Juju mailing list
> Juju at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju
>
More information about the Juju
mailing list