[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [equinox-dev] ANNOUNCEMENT - Security "Work Area" in Equinox/Eclipse
- From: Benjamin Reed <breed@xxxxxxxxxxxxxxx>
- Date: Fri, 28 Jan 2005 13:51:53 -0800
- Delivered-to: firstname.lastname@example.org
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20050105 Debian/1.7.5-1
Signing a jar file doesn't mean that additional files can be added.
Actually it is perfectly valid since you can have partially signed Jar
files. The new files would just have no signature or possibly a
different signature. It also doesn't stop files from being removed. It
only stops files from getting modified.
Right now work is going on in OSGi to require that bundles be fully
signed. What this means is that files not signed by the same signer as
the manifest will be ignored. Signatures that do not sign the manifest
will also be ignored. I think this would address the problems you are
Dorian Birsan wrote:
The update manager needs better support for dealing with signed
features and plugins. It looks like signing a jar does not stop one
from adding other unsigned files to the jar.
See bug https://bugs.eclipse.org/bugs/show_bug.cgi?id=83349. As the
update team is interested in your work, do you have any bugs that we
could cc: to for tracking the security work effort?
Sent by: equinox-dev-admin@xxxxxxxxxxx
01/28/2005 09:48 AM
Please respond to
[equinox-dev] ANNOUNCEMENT - Security "Work Area" in Equinox/Eclipse
Please see the update overviews in the Security work area of Equinox. The
goal of the work area is to further discussion and development of Eclipse
and the Eclipse RCP as a secure application platform._
IBM Software Group
Workplace, Portal and Collaboration Software
(formerly Lotus Software)
"Committee, n.: A group of men who individually can do nothing but as
a group decide that nothing can be done. -- Fred Allen"