hatched
commented
10 years ago In the work to get this charm promoted I am going to include the latest release zip in the charm which will mitigate this issue in the short term. Unfortunately, at the moment, they don't provide SHA's for their release files.
In the future I'm going to add the ability for the user to define a hash to deploy and at that time it will require git (among many other deps) so MITM will be mitigated across both fronts.
Needs a Sha1SUM or Sha256SUM validation of downloaded payloads to verify it hasn't been subjected to a MITM
A simple workaround for this would be to use GIT as the delivery mechanism and use a TAG/HASH value for the delivery, as git does cryptographic verification ootb.