Re: Does sftp eliminate the need to check sha1sum?

hi all, Sorry to barge in like this, but this is very important for my use-case. Binaries that are downloaded always need to be checked using a checksum *included in the charm*. One Charm version should always deploy the *exact same version of that service*. If you want Juju to be used in

Re: Does sftp eliminate the need to check sha1sum?

Please note that this doesn't have to be a burden on the vetting process. The vetting process for an updated binary can be more or less automated, especially with the upcoming juju resources. The important part is that every time the binary changes, the charm version has to be bumped. 2016-01-14

Re: Does sftp eliminate the need to check sha1sum?

My preference over hard-coding a checksum into the charm would be hosting a GPG signature alongside the file and including the public key in the charm. This allows the charm author to update a file if necessary without having to also update the charm, but also allows the charm to confirm that it

Re: Does sftp eliminate the need to check sha1sum?

Just as a word of calming against this our recommended patterns are to make the payload you're fetching configurable: such as fetch this particular tarball from server X with a shipping SHA1/SHA256 sum of the payload to ensure a) its the same payload b) it wasn't corrupted from the point of

Re: Does sftp eliminate the need to check sha1sum?

Thanks for the words of calming :) In retrospect, my email ended up sounding a lot more heated than originally intended, sorry for that. Kind regards Merlijn 2016-01-14 15:26 GMT+01:00 Charles Butler : > Just as a word of calming against this our recommended

Re: Does sftp eliminate the need to check sha1sum?

Hey everyone! Wow, great discussion so far. I think it's clear that repeat-ability and reliability is very important and it's something Juju aims to do so we should make sure charms follow suit. As Merlijn and Cory alluded to, this is a pretty temporary problem as in Juju 2.0 we will get

Re: Does sftp eliminate the need to check sha1sum?

Merlijn, I completely agree with you, that charm deps should be tied to the charm version. For the big data charms, we're working on refactoring them to use layers (and hope to have that available in ~bigdata-dev very, very soon), which will create a wheelhouse of deps in the charm at build

Re: Does sftp eliminate the need to check sha1sum?

That seems equivalent to downloading from an HTTPS site which I don't think would qualify as verifying as coming from the intended source. Now, I suppose in both cases you could copy the certificate id (https) or copy the ssh host id to provide some verification, but that seems like more work to

Re: Does sftp eliminate the need to check sha1sum?

I disagree with the HTTPS comment, since if the certificate is validated by an authority it's reasonable to assert you received it from intended part. If SFTP and checking host keys like SSH should also perform the same function as long as we have the hosts signature. On Wed, Jan 13, 2016 at 8:56

Re: Does sftp eliminate the need to check sha1sum?

Surely SFTP with username/password doesn't prevent man in the middle attacks? I could just setup a box with the same credentials. Also on a slightly different note isn't the hash useful to verify the download is complete and intact even if the source is fine? Tom On 13 Jan 2016 18:47, "Matt

Re: Does sftp eliminate the need to check sha1sum?

I think this is more of a discusion on if you got 'what' you wanted or if you got it from 'where' you wanted. Even if you used SFTP, the file could've changed, and if it doesn't have a SHA1SUM it could result in unexpected charm breakage. If it were me, I would always implement SHA1SUMS, just