<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Matt,<div class=""><br class=""></div><div class="">For the charm in question, I would think adding the sha1sum check to the process would be sufficient, especially in the scenario that the binary is being self-hosted for the purposes of installing it via the charm.</div><div class=""><br class=""><div class="">
<div class=""><div class="">Adam Israel - Software Engineer</div><div class="">Canonical Ltd.</div><div class=""><a href="http://juju.ubuntu.com/" class="">http://juju.ubuntu.com/</a> - Automate your Cloud Infrastructure</div></div>

</div>
<br class=""><div><blockquote type="cite" class=""><div class="">On Jan 13, 2016, at 2:14 PM, Tom Barber <<a href="mailto:tom@analytical-labs.com" class="">tom@analytical-labs.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><p dir="ltr" class="">Yeah but as pointed out earlier,  it verifies where you got it from,  but not what you got.  :)</p>
<div class="gmail_quote">On 13 Jan 2016 19:11, "Jay Wren" <<a href="mailto:jay.wren@canonical.com" class="">jay.wren@canonical.com</a>> wrote:<br type="attribution" class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">StrictHostKeyChecking and shipping the public key of the ssh host with<br class="">
the charm does seem to meet the criteria of verifying the intended<br class="">
source.<br class="">
<br class="">
<br class="">
On Wed, Jan 13, 2016 at 1:46 PM, Matt Bruzek<br class="">
<<a href="mailto:matthew.bruzek@canonical.com" class="">matthew.bruzek@canonical.com</a>> wrote:<br class="">
> I recently reviewed a charm that is using sftp to download the binary files<br class="">
> with a username and password.  The charm does not check the sha1sum of these<br class="">
> files.<br class="">
><br class="">
> The Charm Store Policy states:  Must verify that any software installed or<br class="">
> utilized is verified as coming from the intended source<br class="">
><br class="">
> <a href="https://jujucharms.com/docs/stable/authors-charm-policy" rel="noreferrer" target="_blank" class="">https://jujucharms.com/docs/stable/authors-charm-policy</a><br class="">
><br class="">
> Does using sftp eliminate the need to check the sha1sum of the files<br class="">
> downloaded?<br class="">
><br class="">
> What does the Juju community say to this question?<br class="">
><br class="">
>    - Matt Bruzek <<a href="mailto:matthew.bruzek@canonical.com" class="">matthew.bruzek@canonical.com</a>><br class="">
><br class="">
> --<br class="">
> Juju mailing list<br class="">
> <a href="mailto:Juju@lists.ubuntu.com" class="">Juju@lists.ubuntu.com</a><br class="">
> Modify settings or unsubscribe at:<br class="">
> <a href="https://lists.ubuntu.com/mailman/listinfo/juju" rel="noreferrer" target="_blank" class="">https://lists.ubuntu.com/mailman/listinfo/juju</a><br class="">
><br class="">
<br class="">
--<br class="">
Juju mailing list<br class="">
<a href="mailto:Juju@lists.ubuntu.com" class="">Juju@lists.ubuntu.com</a><br class="">
Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/juju" rel="noreferrer" target="_blank" class="">https://lists.ubuntu.com/mailman/listinfo/juju</a><br class="">
</blockquote></div>
-- <br class="">Juju mailing list<br class=""><a href="mailto:Juju@lists.ubuntu.com" class="">Juju@lists.ubuntu.com</a><br class="">Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju<br class=""></div></blockquote></div><br class=""></div></body></html>