ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephane Bailliez <stephane.baill...@haht.com>
Subject RE: Ant Security
Date Tue, 09 Jul 2002 13:56:16 GMT
> -----Original Message-----
> From: Conor MacNeill [mailto:conor@cortexebusiness.com.au]
> >
> > Is this really important...for a build file ? What are you thinking 
> > about ?
> >
> 
> Maybe it is an over reaction on my part.

uh, I just realized my latest question could be interpreted agressively.
it's not the case. I was just asking if you had something in mind in
particular.

> My point is that we are talking about downloading code and running it 
> within Ant's VM which is completely trusted. In the last few 
> days there 
> has been discussion on bugtraq about the weaknesses in Apple's OSX 
> software update mechanism. It seems to me that simple jar downloading 
> would be susceptible to the same issues unless some precautions are 
> taken. We are not signing jars currently, for example.

Yep, agreed, maybe it would be nice to do so...

> So, non-issue? Perhaps.

If you already thought about it, it should not be a problem, but then again
we are all guilty due to the jars that float around without version nor
without signing...there's a long way to go for Java versioning :-(


--
To unsubscribe, e-mail:   <mailto:ant-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:ant-dev-help@jakarta.apache.org>


Mime
View raw message