I recently reviewed a charm that is using sftp to download the binary files with a username and password. The charm does not check the sha1sum of these files.
The Charm Store Policy states: Must verify that any software installed or utilized is verified as coming from the intended source https://jujucharms.com/docs/stable/authors-charm-policy Does using sftp eliminate the need to check the sha1sum of the files downloaded? What does the Juju community say to this question? - Matt Bruzek <[email protected]>
-- Juju mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju
