SOT, but you have prolly solved this already...
How do you prevent somebody taking a (L)GPL'ed or Open
source for a JVM and/or core classes, hacking backdoors
and trojan horses into it, and deploying it? To be
more precise: sure it'll be either obvious (source is
there) or illegal (violation of license), but that
doesn't cut it under all circumstances. Neither does
certified CRC'ed binaries - some users might *want* to
install a tampered version locally.
Is there a way to have a technical solution that does a
runtime identification of classes, native code, and JVM
in operation that you can't fake even with access to the
source? Within the Java specs? By some custom addition?
I am facing the problem with respect to client-downloadable
Java and client-side manual installs of native DLL's, for
games (so client-side tampering for cheating/internal data
access is an issue). But similar problems should show up
with Japhar and Classpath, no? If you hand everybody the
source, how do you reliably detect malicious derivative
work?
b.
