Yeah but as pointed out earlier, it verifies where you got it from, but not what you got. :) On 13 Jan 2016 19:11, "Jay Wren" <jay.w...@canonical.com> wrote:
> StrictHostKeyChecking and shipping the public key of the ssh host with > the charm does seem to meet the criteria of verifying the intended > source. > > > On Wed, Jan 13, 2016 at 1:46 PM, Matt Bruzek > <matthew.bru...@canonical.com> wrote: > > I recently reviewed a charm that is using sftp to download the binary > files > > with a username and password. The charm does not check the sha1sum of > these > > files. > > > > The Charm Store Policy states: Must verify that any software installed > or > > utilized is verified as coming from the intended source > > > > https://jujucharms.com/docs/stable/authors-charm-policy > > > > Does using sftp eliminate the need to check the sha1sum of the files > > downloaded? > > > > What does the Juju community say to this question? > > > > - Matt Bruzek <matthew.bru...@canonical.com> > > > > -- > > Juju mailing list > > Juju@lists.ubuntu.com > > Modify settings or unsubscribe at: > > https://lists.ubuntu.com/mailman/listinfo/juju > > > > -- > Juju mailing list > Juju@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/juju >
-- Juju mailing list Juju@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju