My preference over hard-coding a checksum into the charm would be hosting a GPG signature alongside the file and including the public key in the charm. This allows the charm author to update a file if necessary without having to also update the charm, but also allows the charm to confirm that it got the file as intended by the author.
Hopefully, though, this will become moot with the advent of resources support in Juju 2.0. On Thu, Jan 14, 2016 at 1:48 AM, Andrew Wilkins < andrew.wilk...@canonical.com> wrote: > On Thu, Jan 14, 2016 at 3:23 AM José Antonio Rey <j...@ubuntu.com> wrote: > >> I think this is more of a discusion on if you got 'what' you wanted or >> if you got it from 'where' you wanted. Even if you used SFTP, the file >> could've changed, and if it doesn't have a SHA1SUM it could result in >> unexpected charm breakage. >> >> If it were me, I would always implement SHA1SUMS, just to make sure that >> the file is, in fact, what I wanted. It would make it easier to debug >> and fix later down the road. >> > > +1 > > SFTP/SSH will (can?) ensure the integrity during transit, but can't tell > you that the data wasn't tampered with outside of the SFTP transfer > process. Someone could have replaced the file on the file server. The > client needs to know ahead of time what to expect. > > On 01/13/2016 02:18 PM, Adam Israel wrote: >> > Matt, >> > >> > For the charm in question, I would think adding the sha1sum check to the >> > process would be sufficient, especially in the scenario that the binary >> > is being self-hosted for the purposes of installing it via the charm. >> > >> > Adam Israel - Software Engineer >> > Canonical Ltd. >> > http://juju.ubuntu.com/ - Automate your Cloud Infrastructure >> > >> >> On Jan 13, 2016, at 2:14 PM, Tom Barber <t...@analytical-labs.com >> >> <mailto:t...@analytical-labs.com>> wrote: >> >> >> >> Yeah but as pointed out earlier, it verifies where you got it from, >> >> but not what you got. :) >> >> >> >> On 13 Jan 2016 19:11, "Jay Wren" <jay.w...@canonical.com >> >> <mailto:jay.w...@canonical.com>> wrote: >> >> >> >> StrictHostKeyChecking and shipping the public key of the ssh host >> with >> >> the charm does seem to meet the criteria of verifying the intended >> >> source. >> >> >> >> >> >> On Wed, Jan 13, 2016 at 1:46 PM, Matt Bruzek >> >> <matthew.bru...@canonical.com >> >> <mailto:matthew.bru...@canonical.com>> wrote: >> >> > I recently reviewed a charm that is using sftp to download the >> >> binary files >> >> > with a username and password. The charm does not check the >> >> sha1sum of these >> >> > files. >> >> > >> >> > The Charm Store Policy states: Must verify that any software >> >> installed or >> >> > utilized is verified as coming from the intended source >> >> > >> >> > https://jujucharms.com/docs/stable/authors-charm-policy >> >> > >> >> > Does using sftp eliminate the need to check the sha1sum of the >> files >> >> > downloaded? >> >> > >> >> > What does the Juju community say to this question? >> >> > >> >> > - Matt Bruzek <matthew.bru...@canonical.com >> >> <mailto:matthew.bru...@canonical.com>> >> >> > >> >> > -- >> >> > Juju mailing list >> >> > Juju@lists.ubuntu.com <mailto:Juju@lists.ubuntu.com> >> >> > Modify settings or unsubscribe at: >> >> > https://lists.ubuntu.com/mailman/listinfo/juju >> >> > >> >> >> >> -- >> >> Juju mailing list >> >> Juju@lists.ubuntu.com <mailto:Juju@lists.ubuntu.com> >> >> Modify settings or unsubscribe at: >> >> https://lists.ubuntu.com/mailman/listinfo/juju >> >> >> >> -- >> >> Juju mailing list >> >> Juju@lists.ubuntu.com <mailto:Juju@lists.ubuntu.com> >> >> Modify settings or unsubscribe at: >> >> https://lists.ubuntu.com/mailman/listinfo/juju >> > >> > >> > >> >> >> -- >> José Antonio Rey >> >> >> -- >> Juju mailing list >> Juju@lists.ubuntu.com >> Modify settings or unsubscribe at: >> https://lists.ubuntu.com/mailman/listinfo/juju >> > > -- > Juju mailing list > Juju@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/juju > >
-- Juju mailing list Juju@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju
