Does sftp eliminate the need to check sha1sum?
Tom Barber
tom at analytical-labs.com
Wed Jan 13 19:14:18 UTC 2016
Yeah but as pointed out earlier, it verifies where you got it from, but
not what you got. :)
On 13 Jan 2016 19:11, "Jay Wren" <jay.wren at canonical.com> wrote:
> StrictHostKeyChecking and shipping the public key of the ssh host with
> the charm does seem to meet the criteria of verifying the intended
> source.
>
>
> On Wed, Jan 13, 2016 at 1:46 PM, Matt Bruzek
> <matthew.bruzek at canonical.com> wrote:
> > I recently reviewed a charm that is using sftp to download the binary
> files
> > with a username and password. The charm does not check the sha1sum of
> these
> > files.
> >
> > The Charm Store Policy states: Must verify that any software installed
> or
> > utilized is verified as coming from the intended source
> >
> > https://jujucharms.com/docs/stable/authors-charm-policy
> >
> > Does using sftp eliminate the need to check the sha1sum of the files
> > downloaded?
> >
> > What does the Juju community say to this question?
> >
> > - Matt Bruzek <matthew.bruzek at canonical.com>
> >
> > --
> > Juju mailing list
> > Juju at lists.ubuntu.com
> > Modify settings or unsubscribe at:
> > https://lists.ubuntu.com/mailman/listinfo/juju
> >
>
> --
> Juju mailing list
> Juju at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju/attachments/20160113/1df9993d/attachment.html>
More information about the Juju
mailing list