That seems equivalent to downloading from an HTTPS site which I don't think would qualify as verifying as coming from the intended source. Now, I suppose in both cases you could copy the certificate id (https) or copy the ssh host id to provide some verification, but that seems like more work to me.
Thanks, Bryan On Wed, Jan 13, 2016 at 1:46 PM, Matt Bruzek <[email protected]> wrote: > I recently reviewed a charm that is using sftp to download the binary > files with a username and password. The charm does not check the sha1sum > of these files. > > The Charm Store Policy states: Must verify that any software installed or > utilized is verified as coming from the intended source > > https://jujucharms.com/docs/stable/authors-charm-policy > > Does using sftp eliminate the need to check the sha1sum of the files > downloaded? > > What does the Juju community say to this question? > > - Matt Bruzek <[email protected]> > > -- > Juju mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/juju > >
-- Juju mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju
