No, I don’t believe using SFTP is sufficient alone. Using a secure transfer protocol is good for preventing a man-in-the-middle attack but doesn’t do anything if the source binary, i.e., hosted on the "trusted" server, has been modified.
Adam Israel - Software Engineer Canonical Ltd. http://juju.ubuntu.com/ - Automate your Cloud Infrastructure > On Jan 13, 2016, at 1:46 PM, Matt Bruzek <matthew.bru...@canonical.com> wrote: > > I recently reviewed a charm that is using sftp to download the binary files > with a username and password. The charm does not check the sha1sum of these > files. > > The Charm Store Policy states: Must verify that any software installed or > utilized is verified as coming from the intended source > > https://jujucharms.com/docs/stable/authors-charm-policy > <https://jujucharms.com/docs/stable/authors-charm-policy> > > Does using sftp eliminate the need to check the sha1sum of the files > downloaded? > > What does the Juju community say to this question? > > - Matt Bruzek <matthew.bru...@canonical.com > <mailto:matthew.bru...@canonical.com>> > -- > Juju mailing list > Juju@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/juju
-- Juju mailing list Juju@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju
