Community
Participate
Working Groups
This is more of a "to do" item for me ... if I can find the time ... not expecting any change in build or code (for now) but in light of bug 408901, I am curious how many "inner jars" we have, which they are, and, most important, if it is the case we would want them all signed? Or just a select few? If just a select few, that would effect the solution/fix we'd want in bug 401141 (i.e. does it need to be configurable for each bundle produced, or would a "blanket signing if inner jars" suffice?
Will attaching listings. Not sure this will be very helpful, since it does not look at packages, does not really say which inner jars need to be signed, and which not ... but, it does show we have a LOT of inner jars. Mostly in tests, and in the past, we never signed tests anyway at all. Some of those in the main "code" bundles, already are marked with eclipse.inf to exclude children from signing so any solution to bug 401141 needs to take eclipse.inf into account.
Created attachment 231525 [details] less interesting tests and examples inner jars should not matter if these are signed or not ... as far as I know.
Created attachment 231526 [details] code bundles with innerjars some already specify "don't sign inner jars" (not sure if due to classpath security issues, or ... just not needed ... in theory some cases could have performance implications, I'd guess. The one that Tom mentions as "matters" shows up: org.eclipse.core.runtime.compatibility.registry_3.5.200.v20130514-1256.jar runtime_registry_compatibility.jar But, not sure any of the others do. Almost makes me wonder if the solution in the main bug should have it configurable, so the default would be to not sign inner jars, but could be configured to override and say "sign inner jars"? It might be just about as easy to fix/improve the "cbi signing plugin", but also wonder if a work-around could be done in the runtime.compatibility.registry bundle and use "antrun" to sign this one particular inner jar? Well, then outer jar would have to be resigned, probably ... yeah, easier to fix "cbi signing plugin" :)
marking as fixed, with 'info' as keyword, just to emphasize this is "data only", no changes to code.
bookkeeping, since obviously done.