Does sftp eliminate the need to check sha1sum?

Adam Israel adam.israel at canonical.com
Wed Jan 13 19:18:17 UTC 2016 

Matt,

For the charm in question, I would think adding the sha1sum check to the process would be sufficient, especially in the scenario that the binary is being self-hosted for the purposes of installing it via the charm.

Adam Israel - Software Engineer
Canonical Ltd.
http://juju.ubuntu.com/ - Automate your Cloud Infrastructure

> On Jan 13, 2016, at 2:14 PM, Tom Barber <tom at analytical-labs.com> wrote:
> 
> Yeah but as pointed out earlier,  it verifies where you got it from,  but not what you got.  :)
> 
> On 13 Jan 2016 19:11, "Jay Wren" <jay.wren at canonical.com <mailto:jay.wren at canonical.com>> wrote:
> StrictHostKeyChecking and shipping the public key of the ssh host with
> the charm does seem to meet the criteria of verifying the intended
> source.
> 
> 
> On Wed, Jan 13, 2016 at 1:46 PM, Matt Bruzek
> <matthew.bruzek at canonical.com <mailto:matthew.bruzek at canonical.com>> wrote:
> > I recently reviewed a charm that is using sftp to download the binary files
> > with a username and password.  The charm does not check the sha1sum of these
> > files.
> >
> > The Charm Store Policy states:  Must verify that any software installed or
> > utilized is verified as coming from the intended source
> >
> > https://jujucharms.com/docs/stable/authors-charm-policy <https://jujucharms.com/docs/stable/authors-charm-policy>
> >
> > Does using sftp eliminate the need to check the sha1sum of the files
> > downloaded?
> >
> > What does the Juju community say to this question?
> >
> >    - Matt Bruzek <matthew.bruzek at canonical.com <mailto:matthew.bruzek at canonical.com>>
> >
> > --
> > Juju mailing list
> > Juju at lists.ubuntu.com <mailto:Juju at lists.ubuntu.com>
> > Modify settings or unsubscribe at:
> > https://lists.ubuntu.com/mailman/listinfo/juju <https://lists.ubuntu.com/mailman/listinfo/juju>
> >
> 
> --
> Juju mailing list
> Juju at lists.ubuntu.com <mailto:Juju at lists.ubuntu.com>
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju <https://lists.ubuntu.com/mailman/listinfo/juju>
> -- 
> Juju mailing list
> Juju at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju/attachments/20160113/1740b8ec/attachment.html>

More information about the Juju mailing list