I think this is more of a discusion on if you got 'what' you wanted or
if you got it from 'where' you wanted. Even if you used SFTP, the file
could've changed, and if it doesn't have a SHA1SUM it could result in
unexpected charm breakage.
If it were me, I would always implement SHA1SUMS, just to make sure that
the file is, in fact, what I wanted. It would make it easier to debug
and fix later down the road.
On 01/13/2016 02:18 PM, Adam Israel wrote:
Matt,
For the charm in question, I would think adding the sha1sum check to the
process would be sufficient, especially in the scenario that the binary
is being self-hosted for the purposes of installing it via the charm.
Adam Israel - Software Engineer
Canonical Ltd.
http://juju.ubuntu.com/ - Automate your Cloud Infrastructure
On Jan 13, 2016, at 2:14 PM, Tom Barber <t...@analytical-labs.com
<mailto:t...@analytical-labs.com>> wrote:
Yeah but as pointed out earlier, it verifies where you got it from,
but not what you got. :)
On 13 Jan 2016 19:11, "Jay Wren" <jay.w...@canonical.com
<mailto:jay.w...@canonical.com>> wrote:
StrictHostKeyChecking and shipping the public key of the ssh host with
the charm does seem to meet the criteria of verifying the intended
source.
On Wed, Jan 13, 2016 at 1:46 PM, Matt Bruzek
<matthew.bru...@canonical.com
<mailto:matthew.bru...@canonical.com>> wrote:
> I recently reviewed a charm that is using sftp to download the
binary files
> with a username and password. The charm does not check the
sha1sum of these
> files.
>
> The Charm Store Policy states: Must verify that any software
installed or
> utilized is verified as coming from the intended source
>
> https://jujucharms.com/docs/stable/authors-charm-policy
>
> Does using sftp eliminate the need to check the sha1sum of the files
> downloaded?
>
> What does the Juju community say to this question?
>
> - Matt Bruzek <matthew.bru...@canonical.com
<mailto:matthew.bru...@canonical.com>>
>
> --
> Juju mailing list
> Juju@lists.ubuntu.com <mailto:Juju@lists.ubuntu.com>
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju
>
--
Juju mailing list
Juju@lists.ubuntu.com <mailto:Juju@lists.ubuntu.com>
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/juju
--
Juju mailing list
Juju@lists.ubuntu.com <mailto:Juju@lists.ubuntu.com>
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/juju
--
José Antonio Rey
--
Juju mailing list
Juju@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/juju
