Matt, For the charm in question, I would think adding the sha1sum check to the process would be sufficient, especially in the scenario that the binary is being self-hosted for the purposes of installing it via the charm.
Adam Israel - Software Engineer Canonical Ltd. http://juju.ubuntu.com/ - Automate your Cloud Infrastructure > On Jan 13, 2016, at 2:14 PM, Tom Barber <t...@analytical-labs.com> wrote: > > Yeah but as pointed out earlier, it verifies where you got it from, but not > what you got. :) > > On 13 Jan 2016 19:11, "Jay Wren" <jay.w...@canonical.com > <mailto:jay.w...@canonical.com>> wrote: > StrictHostKeyChecking and shipping the public key of the ssh host with > the charm does seem to meet the criteria of verifying the intended > source. > > > On Wed, Jan 13, 2016 at 1:46 PM, Matt Bruzek > <matthew.bru...@canonical.com <mailto:matthew.bru...@canonical.com>> wrote: > > I recently reviewed a charm that is using sftp to download the binary files > > with a username and password. The charm does not check the sha1sum of these > > files. > > > > The Charm Store Policy states: Must verify that any software installed or > > utilized is verified as coming from the intended source > > > > https://jujucharms.com/docs/stable/authors-charm-policy > > <https://jujucharms.com/docs/stable/authors-charm-policy> > > > > Does using sftp eliminate the need to check the sha1sum of the files > > downloaded? > > > > What does the Juju community say to this question? > > > > - Matt Bruzek <matthew.bru...@canonical.com > > <mailto:matthew.bru...@canonical.com>> > > > > -- > > Juju mailing list > > Juju@lists.ubuntu.com <mailto:Juju@lists.ubuntu.com> > > Modify settings or unsubscribe at: > > https://lists.ubuntu.com/mailman/listinfo/juju > > <https://lists.ubuntu.com/mailman/listinfo/juju> > > > > -- > Juju mailing list > Juju@lists.ubuntu.com <mailto:Juju@lists.ubuntu.com> > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/juju > <https://lists.ubuntu.com/mailman/listinfo/juju> > -- > Juju mailing list > Juju@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/juju
-- Juju mailing list Juju@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju