pyjuju

Charms are not sufficiently tamper proof

Bug #992454 reported by Clint Byrum on 2012-05-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	pyjuju	Triaged	Low	Unassigned

Bug Description

The charm store security model relies a lot on transport level authentication.

~charmer member ---ssh+bzr-->launchpad
launchpad---https---->charm store
charm store----https---->agent

Through all of this, the code that runs as root (the charm hooks) is authenticated to come from the immediate partner in the link. So launchpad trusts the ssh key to specify that the member is part of ~charmers and writes to it. Then the charm store trusts launchpad that the charm si the one that the member/team owned. Then the agent trusts the charm store that the charm it is downloading is original ~charmers member owned charm.

But if any of the parties in that chain tamper with the payload, there is no way to detect that.

GPG signatures on the charm content should be required to transfer things in to the charm store, and these signatures should be verified by each receiving party, so that none of them can be fooled by any one member of the chain.

Curtis Hovey (sinzui) on 2013-10-12

Changed in juju:
importance:	Undecided → Low
status:	New → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.