[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [equinox-dev] ANNOUNCEMENT - Security "Work Area" in Equinox/Eclipse


I think some of that code needs to be made available to the update manager (API or duplicated), for feature jar files to be processed in the same manner.

-Dorian



Benjamin Reed <breed@xxxxxxxxxxxxxxx>
Sent by: equinox-dev-admin@xxxxxxxxxxx

01/28/2005 04:51 PM

Please respond to
equinox-dev

To
equinox-dev@xxxxxxxxxxx
cc
Subject
Re: [equinox-dev] ANNOUNCEMENT - Security "Work Area" in Equinox/Eclipse





Signing a jar file doesn't mean that additional files can be added.
Actually it is perfectly valid since you can have partially signed Jar
files. The new files would just have no signature or possibly a
different signature. It also doesn't stop files from being removed. It
only stops files from getting modified.

Right now work is going on in OSGi to require that bundles be fully
signed. What this means is that files not signed by the same signer as
the manifest will be ignored. Signatures that do not sign the manifest
will also be ignored. I think this would address the problems you are
running into.

ben

Dorian Birsan wrote:

>
> The update manager needs better support for dealing with signed
> features and plugins. It looks like signing a jar does not stop one
> from adding other unsigned files to the jar.
> See bug https://bugs.eclipse.org/bugs/show_bug.cgi?id=83349. As the
> update team is interested in your work, do you have any bugs that we
> could cc: to for tracking the security work effort?
>
> -Dorian
>
>
>
> *jrosenth@xxxxxxxxxxxxxxxx*
> Sent by: equinox-dev-admin@xxxxxxxxxxx
>
> 01/28/2005 09:48 AM
> Please respond to
> equinox-dev
>
>
>                  
> To
>                  equinox-dev@xxxxxxxxxxx
> cc
>                  
> Subject
>                  [equinox-dev] ANNOUNCEMENT - Security "Work Area" in Equinox/Eclipse
>
>
>
>                  
>
>
>
>
>
>
> Please see the update overviews in the Security work area of Equinox.  The
> goal of the work area is to further discussion and development of Eclipse
> and the Eclipse RCP as a secure application platform._
>
> __http://dev.eclipse.org/viewcvs/indextech.cgi/~checkout~/equinox-home/security/index.html_
> <http://dev.eclipse.org/viewcvs/indextech.cgi/%7Echeckout%7E/equinox-home/security/index.html>
> Jay R.
> IBM Software Group
> Workplace, Portal and Collaboration Software
> (formerly Lotus Software)
> "Committee, n.: A group of men who individually can do nothing but as
> a group decide that nothing can be done. -- Fred Allen"
>
>
>

_______________________________________________
equinox-dev mailing list
equinox-dev@xxxxxxxxxxx
http://dev.eclipse.org/mailman/listinfo/equinox-dev