Re: Does sftp eliminate the need to check sha1sum?

Wed, 13 Jan 2016 11:19:55 -0800 

Matt,

For the charm in question, I would think adding the sha1sum check to the 
process would be sufficient, especially in the scenario that the binary is 
being self-hosted for the purposes of installing it via the charm.

Adam Israel - Software Engineer
Canonical Ltd.
http://juju.ubuntu.com/ - Automate your Cloud Infrastructure

> On Jan 13, 2016, at 2:14 PM, Tom Barber <t...@analytical-labs.com> wrote:
> 
> Yeah but as pointed out earlier,  it verifies where you got it from,  but not 
> what you got.  :)
> 
> On 13 Jan 2016 19:11, "Jay Wren" <jay.w...@canonical.com 
> <mailto:jay.w...@canonical.com>> wrote:
> StrictHostKeyChecking and shipping the public key of the ssh host with
> the charm does seem to meet the criteria of verifying the intended
> source.
> 
> 
> On Wed, Jan 13, 2016 at 1:46 PM, Matt Bruzek
> <matthew.bru...@canonical.com <mailto:matthew.bru...@canonical.com>> wrote:
> > I recently reviewed a charm that is using sftp to download the binary files
> > with a username and password.  The charm does not check the sha1sum of these
> > files.
> >
> > The Charm Store Policy states:  Must verify that any software installed or
> > utilized is verified as coming from the intended source
> >
> > https://jujucharms.com/docs/stable/authors-charm-policy 
> > <https://jujucharms.com/docs/stable/authors-charm-policy>
> >
> > Does using sftp eliminate the need to check the sha1sum of the files
> > downloaded?
> >
> > What does the Juju community say to this question?
> >
> >    - Matt Bruzek <matthew.bru...@canonical.com 
> > <mailto:matthew.bru...@canonical.com>>
> >
> > --
> > Juju mailing list
> > Juju@lists.ubuntu.com <mailto:Juju@lists.ubuntu.com>
> > Modify settings or unsubscribe at:
> > https://lists.ubuntu.com/mailman/listinfo/juju 
> > <https://lists.ubuntu.com/mailman/listinfo/juju>
> >
> 
> --
> Juju mailing list
> Juju@lists.ubuntu.com <mailto:Juju@lists.ubuntu.com>
> Modify settings or unsubscribe at: 
> https://lists.ubuntu.com/mailman/listinfo/juju 
> <https://lists.ubuntu.com/mailman/listinfo/juju>
> -- 
> Juju mailing list
> Juju@lists.ubuntu.com
> Modify settings or unsubscribe at: 
> https://lists.ubuntu.com/mailman/listinfo/juju


-- 
Juju mailing list
Juju@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/juju

Reply via email to