I think some of that code needs to be
made available to the update manager (API or duplicated), for feature jar
files to be processed in the same manner.
Benjamin Reed <breed@xxxxxxxxxxxxxxx> Sent by: equinox-dev-admin@xxxxxxxxxxx
01/28/2005 04:51 PM
Please respond to
Re: [equinox-dev] ANNOUNCEMENT
- Security "Work Area" in Equinox/Eclipse
Signing a jar file doesn't mean that additional files
can be added.
Actually it is perfectly valid since you can have partially signed Jar
files. The new files would just have no signature or possibly a
different signature. It also doesn't stop files from being removed. It
only stops files from getting modified.
Right now work is going on in OSGi to require that bundles be fully
signed. What this means is that files not signed by the same signer as
the manifest will be ignored. Signatures that do not sign the manifest
will also be ignored. I think this would address the problems you are
Dorian Birsan wrote:
> The update manager needs better support for dealing with signed
> features and plugins. It looks like signing a jar does not stop one
> from adding other unsigned files to the jar.
> See bug https://bugs.eclipse.org/bugs/show_bug.cgi?id=83349. As the
> update team is interested in your work, do you have any bugs that
> could cc: to for tracking the security work effort?
> Sent by: equinox-dev-admin@xxxxxxxxxxx
> 01/28/2005 09:48 AM
> Please respond to
ANNOUNCEMENT - Security "Work Area" in Equinox/Eclipse
> Please see the update overviews in the Security work area of Equinox.
> goal of the work area is to further discussion and development of
> and the Eclipse RCP as a secure application platform._
> Jay R.
> IBM Software Group
> Workplace, Portal and Collaboration Software
> (formerly Lotus Software)
> "Committee, n.: A group of men who individually can do nothing
> a group decide that nothing can be done. -- Fred Allen"
equinox-dev mailing list