Does sftp eliminate the need to check sha1sum?
Marco Ceppi
marco at ondina.co
Wed Jan 13 19:12:21 UTC 2016
I disagree with the HTTPS comment, since if the certificate is validated by
an authority it's reasonable to assert you received it from intended part.
If SFTP and checking host keys like SSH should also perform the same
function as long as we have the hosts signature.
On Wed, Jan 13, 2016 at 8:56 PM Adam Israel <adam.israel at canonical.com>
wrote:
> No, I don’t believe using SFTP is sufficient alone. Using a secure
> transfer protocol is good for preventing a man-in-the-middle attack but
> doesn’t do anything if the source binary, i.e., hosted on the "trusted"
> server, has been modified.
>
> Adam Israel - Software Engineer
> Canonical Ltd.
> http://juju.ubuntu.com/ - Automate your Cloud Infrastructure
>
> On Jan 13, 2016, at 1:46 PM, Matt Bruzek <matthew.bruzek at canonical.com>
> wrote:
>
> I recently reviewed a charm that is using sftp to download the binary
> files with a username and password. The charm does not check the sha1sum
> of these files.
>
> The Charm Store Policy states: Must verify that any software installed or
> utilized is verified as coming from the intended source
>
> https://jujucharms.com/docs/stable/authors-charm-policy
>
> Does using sftp eliminate the need to check the sha1sum of the files
> downloaded?
>
> What does the Juju community say to this question?
>
> - Matt Bruzek <matthew.bruzek at canonical.com>
> --
> Juju mailing list
> Juju at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju
>
>
> --
> Juju mailing list
> Juju at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju/attachments/20160113/08716d09/attachment.html>
More information about the Juju
mailing list