[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [equinox-dev] Using the org.eclipse.osgi.jar.verifier
- From: BJ Hargrave <hargrave@xxxxxxxxxx>
- Date: Mon, 21 Nov 2005 09:58:41 -0500
- Delivered-to: email@example.com
equinox-dev-bounces@xxxxxxxxxxx wrote on 2005-11-21 09:10:22 AM:
> BJ, according to the OSGi spec is the Framework required to verify
> to whole jar each time the Framework is started? The current
> implementation verifies each entry of the bundle as it is loaded on
> demand (e.g. when a class/resource is loaded). We do not
> aggressively verify the complete jar at startup. This would effect
> startup time in an unacceptable way. Imagine verifying 1000 jar
> files at startup. It would take over 10 minutes just to startup!!
Well unless the framework keep the bundles in a tamperproof store, not
verifying them is an excellent attack technique! I can replace a verified
jar with my attack jar and then when Eclipse restarts, I am free to
> Andre, you may want to try running Eclipse with the property osgi.
> checkConfiguration=true set. This should cause any bundles which
> get modified to be reinstalled. Similar to -clean except only for
> the bundles which got modified.
Perhaps this is the answer. I am not sure how you detect modification when
it happens outside of the running Eclipse.
Senior Technical Staff Member, IBM
OSGi Fellow and CTO of the OSGi Alliance
Office: +1 407 849 9117 Mobile: +1 386 848 3788