[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[equinox-dev] Secure Storage Javadoc Gotchas

Hi Folks,
 
I'm impressed by the new Secure Storage features as per
http://download.eclipse.org/eclipse/downloads/drops/S-3.4M6-200803301350/eclipse-news-M6.html#equinox.security.storage
 
Trying to investigate these a little closer, I came across a few
gotchas that I wanted to mention but was just too lazy filing
individual bugzilla's for them - so here you go:
 
org.eclipse.equinox.security.secureStorage extension point docs
- missing @since information, missing link to PasswordProvider class
 
PasswordProvider Javadocs
- missing hyperlink to secureStorage extension point
- missing link to ISecurePreferences
 
ISecurePreferences Javadocs
- missing hyperlink to PasswordProvider
 
How Secure is the default Secure Storage provided actually?
It says "Java Encryption is used" ... what encryption does it
use? Where does the Password come from by default? What
happens when a new password is generated, how and when is
the user asked about the password? How secure is the storage
against malicious plugins running inside the same OSGi session?
I'd suppose they can easily retrieve any information once the
session has been opened by (somebody)?
 
FYI, we're considering migrating the RSE Remote Password
Support to secure preferences from our current keyring usage.
We've filed this bug for it:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=225320
 
Are you aware of any other adopters, e.g. Platform Team/CVS
such that we could share experiences? Would you mind helping
us getting started? - On our side, integration should be fairly
easy since only one impl class should be affected
(PasswordPersistenceManager). What we're not yet sure
about is whether we should migrate old passwords from Eclipse
Keyring to the new Secure Storage.
 
Cheers,
--
Martin Oberhuber, Senior Member of Technical Staff, Wind River
Target Management Project Lead, DSDP PMC Member
http://www.eclipse.org/dsdp/tm
 
 


From: equinox-dev-bounces@xxxxxxxxxxx [mailto:equinox-dev-bounces@xxxxxxxxxxx] On Behalf Of Hampel, Michael
Sent: Mittwoch, 02. April 2008 14:50
To: equinox-dev@xxxxxxxxxxx
Subject: [equinox-dev] p2 metadata generation

Hello,
 
can someone please tell me if it is possible to generate the needed p2 metadata for "pure" bundles(no eclipse plugins) in a local
directory and how I would do this?
 
thanx in advance for any help,
 
Michael