Does sftp eliminate the need to check sha1sum?
Tom Barber
tom at analytical-labs.com
Wed Jan 13 18:55:21 UTC 2016
Surely SFTP with username/password doesn't prevent man in the middle
attacks? I could just setup a box with the same credentials.
Also on a slightly different note isn't the hash useful to verify the
download is complete and intact even if the source is fine?
Tom
On 13 Jan 2016 18:47, "Matt Bruzek" <matthew.bruzek at canonical.com> wrote:
> I recently reviewed a charm that is using sftp to download the binary
> files with a username and password. The charm does not check the sha1sum
> of these files.
>
> The Charm Store Policy states: Must verify that any software installed or
> utilized is verified as coming from the intended source
>
> https://jujucharms.com/docs/stable/authors-charm-policy
>
> Does using sftp eliminate the need to check the sha1sum of the files
> downloaded?
>
> What does the Juju community say to this question?
>
> - Matt Bruzek <matthew.bruzek at canonical.com>
>
> --
> Juju mailing list
> Juju at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju/attachments/20160113/532e2fd5/attachment.html>
More information about the Juju
mailing list