[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [equinox-dev] ANNOUNCEMENT - Security "Work Area" in Equinox/Eclipse

Signing a jar file doesn't mean that additional files can be added. Actually it is perfectly valid since you can have partially signed Jar files. The new files would just have no signature or possibly a different signature. It also doesn't stop files from being removed. It only stops files from getting modified.

Right now work is going on in OSGi to require that bundles be fully signed. What this means is that files not signed by the same signer as the manifest will be ignored. Signatures that do not sign the manifest will also be ignored. I think this would address the problems you are running into.

ben

Dorian Birsan wrote:


The update manager needs better support for dealing with signed features and plugins. It looks like signing a jar does not stop one from adding other unsigned files to the jar.
See bug https://bugs.eclipse.org/bugs/show_bug.cgi?id=83349. As the update team is interested in your work, do you have any bugs that we could cc: to for tracking the security work effort?


-Dorian



*jrosenth@xxxxxxxxxxxxxxxx*
Sent by: equinox-dev-admin@xxxxxxxxxxx

01/28/2005 09:48 AM
Please respond to
equinox-dev


To equinox-dev@xxxxxxxxxxx cc Subject [equinox-dev] ANNOUNCEMENT - Security "Work Area" in Equinox/Eclipse










Please see the update overviews in the Security work area of Equinox. The goal of the work area is to further discussion and development of Eclipse and the Eclipse RCP as a secure application platform._

__http://dev.eclipse.org/viewcvs/indextech.cgi/~checkout~/equinox-home/security/index.html_ <http://dev.eclipse.org/viewcvs/indextech.cgi/%7Echeckout%7E/equinox-home/security/index.html>
Jay R.
IBM Software Group
Workplace, Portal and Collaboration Software
(formerly Lotus Software)
"Committee, n.: A group of men who individually can do nothing but as a group decide that nothing can be done. -- Fred Allen"