ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matt Benson <gudnabr...@yahoo.com>
Subject Re: cvs commit: ant/docs/manual/CoreTasks signjar.html
Date Tue, 08 Feb 2005 15:31:37 GMT
To continue what I was saying before I somehow sent
the email... !
--- Matt Benson <gudnabrsam@yahoo.com> wrote:

> --- stevel@apache.org wrote:
> 
> > stevel      2005/02/07 15:51:01
> > 
> >   Modified:    docs/manual/CoreTasks signjar.html
> >   Log:
> >   This is actually a serious issue. if i have a
> > login on a machine, I can get the keystore
> password
> > by waiting for someone to sign a JAR on it. We can
> > fix this, either by running jarsigner in VM, or by
> > passing the input over stdio.
> 
> I would opt for the latter.  It should be as easy as
> using it for the input on the helper ExecTask,
> right? 
> What I would actually do here is add an attribute to
RedirectorElement and Redirector to suppress the
logging of the input string.  Seeing passwords echoed
is irritating to say the least, and it would be simple
enough to add this option for a modicum of--if not
security, then dignity, at least.  Signjar could
configure a RedirectorElement internally to keep the
passed input hidden, and the same approach would be
available to users wanting to pass sensitive text into
an external process.

-Matt


		
__________________________________ 
Do you Yahoo!? 
All your favorites on one personal page  Try My Yahoo!
http://my.yahoo.com 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message