Does sftp eliminate the need to check sha1sum?

José Antonio Rey jose at ubuntu.com
Wed Jan 13 19:22:37 UTC 2016 

I think this is more of a discusion on if you got 'what' you wanted or 
if you got it from 'where' you wanted. Even if you used SFTP, the file 
could've changed, and if it doesn't have a SHA1SUM it could result in 
unexpected charm breakage.

If it were me, I would always implement SHA1SUMS, just to make sure that 
the file is, in fact, what I wanted. It would make it easier to debug 
and fix later down the road.


On 01/13/2016 02:18 PM, Adam Israel wrote:
> Matt,
>
> For the charm in question, I would think adding the sha1sum check to the
> process would be sufficient, especially in the scenario that the binary
> is being self-hosted for the purposes of installing it via the charm.
>
> Adam Israel - Software Engineer
> Canonical Ltd.
> http://juju.ubuntu.com/ - Automate your Cloud Infrastructure
>
>> On Jan 13, 2016, at 2:14 PM, Tom Barber <tom at analytical-labs.com
>> <mailto:tom at analytical-labs.com>> wrote:
>>
>> Yeah but as pointed out earlier,  it verifies where you got it from,
>> but not what you got.  :)
>>
>> On 13 Jan 2016 19:11, "Jay Wren" <jay.wren at canonical.com
>> <mailto:jay.wren at canonical.com>> wrote:
>>
>>     StrictHostKeyChecking and shipping the public key of the ssh host with
>>     the charm does seem to meet the criteria of verifying the intended
>>     source.
>>
>>
>>     On Wed, Jan 13, 2016 at 1:46 PM, Matt Bruzek
>>     <matthew.bruzek at canonical.com
>>     <mailto:matthew.bruzek at canonical.com>> wrote:
>>     > I recently reviewed a charm that is using sftp to download the
>>     binary files
>>     > with a username and password.  The charm does not check the
>>     sha1sum of these
>>     > files.
>>     >
>>     > The Charm Store Policy states:  Must verify that any software
>>     installed or
>>     > utilized is verified as coming from the intended source
>>     >
>>     > https://jujucharms.com/docs/stable/authors-charm-policy
>>     >
>>     > Does using sftp eliminate the need to check the sha1sum of the files
>>     > downloaded?
>>     >
>>     > What does the Juju community say to this question?
>>     >
>>     >    - Matt Bruzek <matthew.bruzek at canonical.com
>>     <mailto:matthew.bruzek at canonical.com>>
>>     >
>>     > --
>>     > Juju mailing list
>>     > Juju at lists.ubuntu.com <mailto:Juju at lists.ubuntu.com>
>>     > Modify settings or unsubscribe at:
>>     > https://lists.ubuntu.com/mailman/listinfo/juju
>>     >
>>
>>     --
>>     Juju mailing list
>>     Juju at lists.ubuntu.com <mailto:Juju at lists.ubuntu.com>
>>     Modify settings or unsubscribe at:
>>     https://lists.ubuntu.com/mailman/listinfo/juju
>>
>> --
>> Juju mailing list
>> Juju at lists.ubuntu.com <mailto:Juju at lists.ubuntu.com>
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/juju
>
>
>


-- 
José Antonio Rey

More information about the Juju mailing list