ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Schapitz <>
Subject Re: cvs commit: ant/docs/manual/CoreTasks checksum.html
Date Thu, 17 Feb 2005 12:37:52 GMT
Kev Jackson schrieb:

> I don't think that this is the major problem.  It's very very very 
> unlikely that anyone would want to tamper with Ant (why bother, a user 
> can always get teh source and build themselves?).  The problem is that 
> when using Ant to build new code (and to generate a checksum for that 
> distribution), now you as the developer of new-shiny-applictaion have 
> to decide whether anyone is going to take the time to create a fake 
> version of your app.  

Corruption of the new App isn't necessarily the intention of a potential 
attacker. It's far more interesting,
to intercept passwords passed into ftp, ssh, or scp tasks,  spying into 
the file system accessible
to the ant installation, or even to install malware.

This said, our options to prevent this are very limited, and depend 
heavily on the
cooperation of ANT users. Or did you ever knew somebody, who checked the
checksums of an ANT distribution contained as convienance in an other 
(e.g. netbeans, or weblogic)?


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message