hi all, Sorry to barge in like this, but this is very important for my
use-case.
Binaries that are downloaded always need to be checked using a
checksum *included
in the charm*.
One Charm version should always deploy the *exact same version of that
service*. If you want Juju to be used in
Please note that this doesn't have to be a burden on the vetting process.
The vetting process for an updated binary can be more or less automated,
especially with the upcoming juju resources. The important part is that
every time the binary changes, the charm version has to be bumped.
2016-01-14
My preference over hard-coding a checksum into the charm would be hosting a
GPG signature alongside the file and including the public key in the
charm. This allows the charm author to update a file if necessary without
having to also update the charm, but also allows the charm to confirm that
it
Just as a word of calming against this our recommended patterns are to make
the payload you're fetching configurable:
such as fetch this particular tarball from server X with a shipping
SHA1/SHA256 sum of the payload to ensure a) its the same payload b) it
wasn't corrupted from the point of
Thanks for the words of calming :)
In retrospect, my email ended up sounding a lot more heated than originally
intended, sorry for that.
Kind regards
Merlijn
2016-01-14 15:26 GMT+01:00 Charles Butler :
> Just as a word of calming against this our recommended
Hey everyone!
Wow, great discussion so far. I think it's clear that repeat-ability and
reliability is very important and it's something Juju aims to do so we
should make sure charms follow suit. As Merlijn and Cory alluded to, this
is a pretty temporary problem as in Juju 2.0 we will get
Merlijn,
I completely agree with you, that charm deps should be tied to the charm
version. For the big data charms, we're working on refactoring them to use
layers (and hope to have that available in ~bigdata-dev very, very soon),
which will create a wheelhouse of deps in the charm at build
That seems equivalent to downloading from an HTTPS site which I don't think
would qualify as verifying as coming from the intended source. Now, I
suppose in both cases you could copy the certificate id (https) or copy the
ssh host id to provide some verification, but that seems like more work to
I disagree with the HTTPS comment, since if the certificate is validated by
an authority it's reasonable to assert you received it from intended part.
If SFTP and checking host keys like SSH should also perform the same
function as long as we have the hosts signature.
On Wed, Jan 13, 2016 at 8:56
Surely SFTP with username/password doesn't prevent man in the middle
attacks? I could just setup a box with the same credentials.
Also on a slightly different note isn't the hash useful to verify the
download is complete and intact even if the source is fine?
Tom
On 13 Jan 2016 18:47, "Matt
I think this is more of a discusion on if you got 'what' you wanted or
if you got it from 'where' you wanted. Even if you used SFTP, the file
could've changed, and if it doesn't have a SHA1SUM it could result in
unexpected charm breakage.
If it were me, I would always implement SHA1SUMS, just
11 matches
Mail list logo