StrictHostKeyChecking and shipping the public key of the ssh host with the charm does seem to meet the criteria of verifying the intended source.
On Wed, Jan 13, 2016 at 1:46 PM, Matt Bruzek <matthew.bru...@canonical.com> wrote: > I recently reviewed a charm that is using sftp to download the binary files > with a username and password. The charm does not check the sha1sum of these > files. > > The Charm Store Policy states: Must verify that any software installed or > utilized is verified as coming from the intended source > > https://jujucharms.com/docs/stable/authors-charm-policy > > Does using sftp eliminate the need to check the sha1sum of the files > downloaded? > > What does the Juju community say to this question? > > - Matt Bruzek <matthew.bru...@canonical.com> > > -- > Juju mailing list > Juju@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/juju > -- Juju mailing list Juju@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju