Does sftp eliminate the need to check sha1sum?
Adam Israel
adam.israel at canonical.com
Wed Jan 13 18:56:18 UTC 2016
No, I don’t believe using SFTP is sufficient alone. Using a secure transfer protocol is good for preventing a man-in-the-middle attack but doesn’t do anything if the source binary, i.e., hosted on the "trusted" server, has been modified.
Adam Israel - Software Engineer
Canonical Ltd.
http://juju.ubuntu.com/ - Automate your Cloud Infrastructure
> On Jan 13, 2016, at 1:46 PM, Matt Bruzek <matthew.bruzek at canonical.com> wrote:
>
> I recently reviewed a charm that is using sftp to download the binary files with a username and password. The charm does not check the sha1sum of these files.
>
> The Charm Store Policy states: Must verify that any software installed or utilized is verified as coming from the intended source
>
> https://jujucharms.com/docs/stable/authors-charm-policy <https://jujucharms.com/docs/stable/authors-charm-policy>
>
> Does using sftp eliminate the need to check the sha1sum of the files downloaded?
>
> What does the Juju community say to this question?
>
> - Matt Bruzek <matthew.bruzek at canonical.com <mailto:matthew.bruzek at canonical.com>>
> --
> Juju mailing list
> Juju at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju/attachments/20160113/e5a03da2/attachment.html>
More information about the Juju
mailing list