Re: [equinox-dev] ANNOUNCEMENT - Security "Work Area" in Equinox/Eclipse

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [equinox-dev] ANNOUNCEMENT - Security "Work Area" in Equinox/Eclipse

From: Benjamin Reed <breed@xxxxxxxxxxxxxxx>
Date: Fri, 28 Jan 2005 13:51:53 -0800
Delivered-to: equinox-dev@xxxxxxxxxxx
List-archive: <http://dev.eclipse.org/pipermail/equinox-dev/>
List-help: <mailto:equinox-dev-request@eclipse.org?subject=help>
List-subscribe: <http://dev.eclipse.org/mailman/listinfo/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <http://dev.eclipse.org/mailman/listinfo/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20050105 Debian/1.7.5-1

Signing a jar file doesn't mean that additional files can be added.Actually it is perfectly valid since you can have partially signed Jarfiles. The new files would just have no signature or possibly adifferent signature. It also doesn't stop files from being removed. Itonly stops files from getting modified.

Right now work is going on in OSGi to require that bundles be fullysigned. What this means is that files not signed by the same signer asthe manifest will be ignored. Signatures that do not sign the manifestwill also be ignored. I think this would address the problems you arerunning into.


ben

Dorian Birsan wrote:

The update manager needs better support for dealing with signedfeatures and plugins. It looks like signing a jar does not stop onefrom adding other unsigned files to the jar.See bug https://bugs.eclipse.org/bugs/show_bug.cgi?id=83349. As theupdate team is interested in your work, do you have any bugs that wecould cc: to for tracking the security work effort?
-Dorian



*jrosenth@xxxxxxxxxxxxxxxx*
Sent by: equinox-dev-admin@xxxxxxxxxxx

01/28/2005 09:48 AM
Please respond to
equinox-dev


	
To
	equinox-dev@xxxxxxxxxxx
cc
	
Subject
	[equinox-dev] ANNOUNCEMENT - Security "Work Area" in Equinox/Eclipse



	






Please see the update overviews in the Security work area of Equinox.  The
goal of the work area is to further discussion and development of Eclipse
and the Eclipse RCP as a secure application platform._
__http://dev.eclipse.org/viewcvs/indextech.cgi/~checkout~/equinox-home/security/index.html_<http://dev.eclipse.org/viewcvs/indextech.cgi/%7Echeckout%7E/equinox-home/security/index.html>
Jay R.
IBM Software Group
Workplace, Portal and Collaboration Software
(formerly Lotus Software)
"Committee, n.: A group of men who individually can do nothing but asa group decide that nothing can be done. -- Fred Allen"

Follow-Ups:
- Re: [equinox-dev] ANNOUNCEMENT - Security "Work Area" in Equinox/Eclipse
  - From: Dorian Birsan

References:
- Re: [equinox-dev] ANNOUNCEMENT - Security "Work Area" in Equinox/Eclipse
  - From: Dorian Birsan

Prev by Date: Re: [equinox-dev] ANNOUNCEMENT - Security "Work Area" in Equinox/Eclipse
Next by Date: Re: [equinox-dev] ANNOUNCEMENT - Security "Work Area" in Equinox/Eclipse
Previous by thread: Re: [equinox-dev] ANNOUNCEMENT - Security "Work Area" in Equinox/Eclipse
Next by thread: Re: [equinox-dev] ANNOUNCEMENT - Security "Work Area" in Equinox/Eclipse
Index(es):
- Date
- Thread

Breadcrumbs