www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran" <steve.lough...@gmail.com>
Subject Re: Summary
Date Sat, 04 Mar 2006 22:04:24 GMT
On 3/4/06, Henri Yandell <flamefew@gmail.com> wrote:
> On 3/3/06, Dain Sundstrom <dain@iq80.com> wrote:
> >
> > BTW it would be nice if we could just use standard Java Jar signing.
> > That way the ultimate user of the code, the JVM, can verify the Jar.
>
> Hearing this idea a lot; Steve Loughran had some emails saying that
> signing wouldn't work - Steve?
>
> Hen
>

It would be nice, cos then java webstart could run from the
repository. But once a jar is signed, only jars signed by the same
person can declare classes/resources in the same package (I think the
root package is special, as in META-INF)

As a consequence
 -hibernate breaks; it cannot add new proxy classes for your code on the fly
 -nobody would be allowed to add new classes to the package in any other JAR

problem #2 kind of goes against your right of an OSS user, the easy
ability to add new stuff to a JAR. So, say I wanted to patch
ant-junit.jar, which declares stuff in org.apache.tools.ant.optional,
I'd need to rebuild the whole of ant or strip out the signatures, just
to get my signal jar to work. Which complicates redist too.

Now, if you design an app with signing in from the outset, maybe this
would be a feature not a problem. So, say maven could always only
download and run signed plugins; it would be signed itself from the
outset, so as long as that original bootstrapper got to you securely,
and all instructions it received were authenticated,  you would have a
local chain of trust.

And returning to webstart, Its flawed, horribly, I just havent sat
down to prove it yet. When you run a webstart app an HTML doc is
downloaded that lists the JARs to run, the JRE pulls them down and
runs them, starting at the main entry point listed in the descriptor.
If a signed JAR has any other entry point in, then it is at risk of
being called. Does anyone audit their JARs for entry points? Exactly.
If you sign a JAR you are saying "safe to use in a java web start
triggered by an untrusted HTML descriptor", which is not something we
are prepared to say.

-steve

Mime
View raw message