ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran" <>
Subject Re: Cryptographic Hash function from ant
Date Thu, 11 Apr 2002 23:01:49 GMT

----- Original Message -----
From: "Christian Geuer-Pollmann" <>
To: "Ant Developers List" <>
Sent: Thursday, April 11, 2002 2:34 PM
Subject: Re: Cryptographic Hash function from ant

> --On Donnerstag, 11. April 2002 13:50 +0200 Stefan Bodewig
> <> wrote:
> > On Wed, 10 Apr 2002, Christian Geuer-Pollmann
> >> BTW, is this XML Signature functionality interesting for you?
> >
> > I'm not familiar with it, could you explain in what way it may be
> > interesting for Ant?
> Well, if you look at signed JAR archives, the person who downloads and
> executes a Java program stored in a JAR can verify who's the software
> vendor of this archive. If you look at distributing software on the apache
> site, many projects do use PGP to sign the ZIP files for binary and source
> distros. Incorporating XML Signatures into ant make files would enable an
> ant built run to verify the integrity of the whole distribution; not only
> after downloading the software from the web but each time an ant run is
> started.
> Depends on the scenario whether a project needs such kind of security or
> not.

hmm. a signed ant file would still be vulnerable to someone subverting the
taskdefs and so changing behavior, but in a remote submission model (like
rant) you may want to authenticate which build files you run, as well as the
user submitting the jobs.

I dont see a pressing need for it in the ant core, <XmlSign> and
<XmlSignatureVerify> could be good tasks to add to the apache XmlSignature
project. It makes a lot more sense to keep something like that tightly
integrated with the implementation; avoids version issues &c.

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message