I disagree with the HTTPS comment, since if the certificate is validated by
an authority it's reasonable to assert you received it from intended part.
If SFTP and checking host keys like SSH should also perform the same
function as long as we have the hosts signature.

On Wed, Jan 13, 2016 at 8:56 PM Adam Israel <adam.isr...@canonical.com>
wrote:

> No, I don’t believe using SFTP is sufficient alone. Using a secure
> transfer protocol is good for preventing a man-in-the-middle attack but
> doesn’t do anything if the source binary, i.e., hosted on the "trusted"
> server, has been modified.
>
> Adam Israel - Software Engineer
> Canonical Ltd.
> http://juju.ubuntu.com/ - Automate your Cloud Infrastructure
>
> On Jan 13, 2016, at 1:46 PM, Matt Bruzek <matthew.bru...@canonical.com>
> wrote:
>
> I recently reviewed a charm that is using sftp to download the binary
> files with a username and password.  The charm does not check the sha1sum
> of these files.
>
> The Charm Store Policy states:  Must verify that any software installed or
> utilized is verified as coming from the intended source
>
> https://jujucharms.com/docs/stable/authors-charm-policy
>
> Does using sftp eliminate the need to check the sha1sum of the files
> downloaded?
>
> What does the Juju community say to this question?
>
>    - Matt Bruzek <matthew.bru...@canonical.com>
> --
> Juju mailing list
> Juju@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju
>
>
> --
> Juju mailing list
> Juju@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju
>
-- 
Juju mailing list
Juju@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/juju

Reply via email to