[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [equinox-dev] Using the org.eclipse.osgi.jar.verifier
|
equinox-dev-bounces@xxxxxxxxxxx wrote on 2005-11-21 09:10:22 AM:
> BJ, according to the OSGi spec is the Framework required to verify
> to whole jar each time the Framework is started? The current
> implementation verifies each entry of the bundle as it is loaded on
> demand (e.g. when a class/resource is loaded). We do not
> aggressively verify the complete jar at startup. This would effect
> startup time in an unacceptable way. Imagine verifying 1000 jar
> files at startup. It would take over 10 minutes just to startup!!
Well unless the framework keep the bundles in a tamperproof store, not
verifying them is an excellent attack technique! I can replace a verified
jar with my attack jar and then when Eclipse restarts, I am free to
attack.
>
> Andre, you may want to try running Eclipse with the property osgi.
> checkConfiguration=true set. This should cause any bundles which
> get modified to be reinstalled. Similar to -clean except only for
> the bundles which got modified.
Perhaps this is the answer. I am not sure how you detect modification when
it happens outside of the running Eclipse.
>
> Tom
>
>
>
BJ Hargrave
Senior Technical Staff Member, IBM
OSGi Fellow and CTO of the OSGi Alliance
hargrave@xxxxxxxxxx
Office: +1 407 849 9117 Mobile: +1 386 848 3788