Surely SFTP with username/password doesn't prevent man in the middle attacks? I could just setup a box with the same credentials.
Also on a slightly different note isn't the hash useful to verify the download is complete and intact even if the source is fine? Tom On 13 Jan 2016 18:47, "Matt Bruzek" <matthew.bru...@canonical.com> wrote: > I recently reviewed a charm that is using sftp to download the binary > files with a username and password. The charm does not check the sha1sum > of these files. > > The Charm Store Policy states: Must verify that any software installed or > utilized is verified as coming from the intended source > > https://jujucharms.com/docs/stable/authors-charm-policy > > Does using sftp eliminate the need to check the sha1sum of the files > downloaded? > > What does the Juju community say to this question? > > - Matt Bruzek <matthew.bru...@canonical.com> > > -- > Juju mailing list > Juju@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/juju > >
-- Juju mailing list Juju@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju