commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sandy McArthur" <>
Subject [all] jar signing with jarsigner
Date Fri, 03 Mar 2006 01:28:29 GMT
The discussion on signing releases with PGP led me to wonder why jar's
aren't signed with the jarsigner tool? As Java centric as Jakarta is,
now that I think about it, it seems kind of strange that the "java
way" of signing code isn't used. I'm not suggesting replacing the PGP
sigs on releases, jarsigner doesn't do much with tarballs.

Eg: having HttpClient signed would let an admin express with the Java
security model that a web app cannot open sockets unless it's being
made by an official version of HttpClient. Or that a webapp cannot
create temp files except by a signed FileUpload lib.
Sandy McArthur

"He who dares not offend cannot be honest."
- Thomas Paine

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message