Does sftp eliminate the need to check sha1sum?
Bryan Quigley
bryan.quigley at canonical.com
Wed Jan 13 18:55:19 UTC 2016
That seems equivalent to downloading from an HTTPS site which I don't think
would qualify as verifying as coming from the intended source. Now, I
suppose in both cases you could copy the certificate id (https) or copy the
ssh host id to provide some verification, but that seems like more work to
me.
Thanks,
Bryan
On Wed, Jan 13, 2016 at 1:46 PM, Matt Bruzek <matthew.bruzek at canonical.com>
wrote:
> I recently reviewed a charm that is using sftp to download the binary
> files with a username and password. The charm does not check the sha1sum
> of these files.
>
> The Charm Store Policy states: Must verify that any software installed or
> utilized is verified as coming from the intended source
>
> https://jujucharms.com/docs/stable/authors-charm-policy
>
> Does using sftp eliminate the need to check the sha1sum of the files
> downloaded?
>
> What does the Juju community say to this question?
>
> - Matt Bruzek <matthew.bruzek at canonical.com>
>
> --
> Juju mailing list
> Juju at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju/attachments/20160113/b8940661/attachment.html>
More information about the Juju
mailing list