commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henri Yandell" <flame...@gmail.com>
Subject Re: [all] jar signing with jarsigner
Date Fri, 03 Mar 2006 04:18:00 GMT
Steve Loughran's had some interesting things to say on this on
repository@apache.org over the last year or so. Basically that in his
opinion jar signing plain didn't work and we shouldn't be bothering
with it.

Have you had good fortune with jar signing, or are you like me - it's
an idea that you've never had time to pursue?

Hen

On 3/2/06, Sandy McArthur <sandymac@apache.org> wrote:
> The discussion on signing releases with PGP led me to wonder why jar's
> aren't signed with the jarsigner tool? As Java centric as Jakarta is,
> now that I think about it, it seems kind of strange that the "java
> way" of signing code isn't used. I'm not suggesting replacing the PGP
> sigs on releases, jarsigner doesn't do much with tarballs.
>
> Eg: having HttpClient signed would let an admin express with the Java
> security model that a web app cannot open sockets unless it's being
> made by an official version of HttpClient. Or that a webapp cannot
> create temp files except by a signed FileUpload lib.
>
> http://java.sun.com/docs/books/tutorial/security1.2/toolsign/
> http://java.sun.com/j2se/1.3/docs/tooldocs/solaris/jarsigner.html
> --
> Sandy McArthur
>
> "He who dares not offend cannot be honest."
> - Thomas Paine
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org


Mime
View raw message