directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jimmy Kaplowitz (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DIRSTUDIO-741) Update site has self-signed cert that expired months before the 1.5.3 release
Date Wed, 31 Aug 2011 22:27:14 GMT
Update site has self-signed cert that expired months before the 1.5.3 release
-----------------------------------------------------------------------------

                 Key: DIRSTUDIO-741
                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-741
             Project: Directory Studio
          Issue Type: Bug
          Components: studio-updatesite
            Reporter: Jimmy Kaplowitz


Hi,

I was just trying to install Apache Directory Studio 1.5.3 from within Eclipse 3.7. It's saying
that the certificate signing the software (or maybe the update site) is both self-signed and
expired in January 2010. This is a bit more worrying than even having no certificate, since
the 1.5.3 release is from April 2010, and I'm kind of puzzled that it was signed with a certificate
that was already several months out of date when the release was made, in addition to being
self-signed. I'm also trying this more than a year after the 1.5.3 release occurred, so the
fact that the situation remains as I've described is quite worrying from the perspective of
having security issues noticed and addressed in a timely fashion.

There are many valid ways to handle the issue of code signing, including deciding that it's
not useful security to do it at all, making an Apache-specific certificate authority, or paying
for a commercial certificate as is done for the *.apache.org HTTPS web sites. The current
situation with the Eclipse update site encourages false guarantees of security and, if Apache's
users are taught to ignore such warnings, exposes them to man-in-the-middle or other malicious
attacks when they think they are being protected by the security reputation of the Apache
Software Foundation.

The time estimate I have given is assuming you decide to generate some new certificate by
whatever commercial or non-commercial method, and may include the time to deal with a vendor
and/or rebuild the software. If you simply decide to switch your repository to unsigned, my
estimate will probably be too large.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message