That sounds about right, yes. I’m not sure the specific steps we’d need to suggest to the developer to take to do that, but it would be worthwhile to do that so we can make better recommendations for situations like this in the future.
-- Adam Israel - Software Engineer Canonical Ltd. http://juju.ubuntu.com/ - Automate your Cloud Infrastructure > On Jan 13, 2016, at 1:59 PM, Tom Barber <t...@analytical-labs.com> wrote: > > Surely it only prevent man in the middle if it does cert checking as well? If > I just fired up SFTP and downloaded a file it could be from anywhere still. > SFTP on most boxes encrypts the traffic but doesn't validate the certificate > (unless it changes of course) > > On 13 Jan 2016 18:56, "Adam Israel" <adam.isr...@canonical.com > <mailto:adam.isr...@canonical.com>> wrote: > No, I don’t believe using SFTP is sufficient alone. Using a secure transfer > protocol is good for preventing a man-in-the-middle attack but doesn’t do > anything if the source binary, i.e., hosted on the "trusted" server, has been > modified. > > Adam Israel - Software Engineer > Canonical Ltd. > http://juju.ubuntu.com/ <http://juju.ubuntu.com/> - Automate your Cloud > Infrastructure > >> On Jan 13, 2016, at 1:46 PM, Matt Bruzek <matthew.bru...@canonical.com >> <mailto:matthew.bru...@canonical.com>> wrote: >> >> I recently reviewed a charm that is using sftp to download the binary files >> with a username and password. The charm does not check the sha1sum of these >> files. >> >> The Charm Store Policy states: Must verify that any software installed or >> utilized is verified as coming from the intended source >> >> https://jujucharms.com/docs/stable/authors-charm-policy >> <https://jujucharms.com/docs/stable/authors-charm-policy> >> >> Does using sftp eliminate the need to check the sha1sum of the files >> downloaded? >> >> What does the Juju community say to this question? >> >> - Matt Bruzek <matthew.bru...@canonical.com >> <mailto:matthew.bru...@canonical.com>> >> -- >> Juju mailing list >> Juju@lists.ubuntu.com <mailto:Juju@lists.ubuntu.com> >> Modify settings or unsubscribe at: >> https://lists.ubuntu.com/mailman/listinfo/juju >> <https://lists.ubuntu.com/mailman/listinfo/juju> > > > -- > Juju mailing list > Juju@lists.ubuntu.com <mailto:Juju@lists.ubuntu.com> > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/juju > <https://lists.ubuntu.com/mailman/listinfo/juju> >
-- Juju mailing list Juju@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju
