Comment 4 for bug 1470017

Hi Sharan,

Thanks for the work on getting IBM Websphere eXtreme Scale into the juju charm ecosystem. Matt and I had another look through the charm code and noticed issues with validating the checksum on binary downloads:

http://bazaar.launchpad.net/~ibmcharmers/charms/trusty/ibmwxs/trunk/view/head:/hooks/config-changed#L188
http://bazaar.launchpad.net/~ibmcharmers/charms/trusty/ibmwxs/trunk/view/head:/hooks/config-changed#L293

In the config-changed hook, the code skips any sha1sum if the config value is missing. This happens for the IM, WXS base, and WXS fixpack binaries. If the user inadvertently left the default values in config.yaml, none of these binaries would be checksum validated. This could be dangerous -- if an end user has a compromised binary, the charm should fail to install it. The charm author policy (https://jujucharms.com/docs/devel/authors-charm-policy) requires that all software payloads have their checksums validated:

----
Must verify that any software installed or utilized is verified as coming from the intended source. Any software installed from the Ubuntu archive satisfies this due to the apt sources including cryptographic signing information.
----

One way to fix this would be to disallow empty sha config values, and exit if those values have not been provided by the user. Another way would be to provide default sha1 values -- since the charm provides default filenames, the sha1sum of these files should be known and can be used as defaults.

I'm going to put this charm into "In Progress" until this sha issue is resolved, as the current implementation violates store policy. Please let us know if you have questions/concerns regarding the proposed changes, and we'll be happy to help.