On Wed, Jan 11, 2012 at 12:00 PM, Afkham Azeez <[email protected]> wrote:
> +1. this will reduce the product build time by about 60%. Sanjaya, in our > Stratos setup script, by default, let's do the jar signing, using the > private key in the carbon.jks by default. Let's make the keystore a > configurable parameter so that a different one can be used during setup. > > Why do we have to sing these jars? Signing jars with a publicly available key and having default policy to go with that key is dangerous. Say a user has installed Stratos without changing the default policy, then someone can create a malicious jar and sign it with the publicly available private key in the carbon.jks and put it into that Stratos instance, that jar would face no difficulties since the default policy is accepting this jar as a legitimate jar. The best practice is to leave the jars unsigned and let the application run in a sandbox so that it will not execute any potentially dangerous code. I think if we really want to sign the jars, we shouldn't sing them with a publicly available key and there shouldn't be any policy to accept such keys. please correct me if I've mistaken. Thanks, Suresh > On Wed, Jan 11, 2012 at 11:54 AM, Harshana Martin <[email protected]>wrote: > >> Hi All, >> >> As per offline discussion had with Azeez and Shankar, we are planning to >> move Jar Signing process to a separate maven profile in order to improve >> the Carbon Build time. >> >> Idea is to avoid Jar signing for normal builds since it consumes lot of >> time and it is not required for normal users. if someone wants it, they can >> use the maven profile. >> >> Thanks and Regards, >> Harshana >> -- >> Harshana Martin >> Software Engineer >> WSO2 Inc. >> Web:http://wso2.com >> http://wso2.org >> >> Mobile: +94 716062650 >> Blog: http://harshana05.blogspot.com >> Profile: https://www.google.com/profiles/harshana05 >> Twitter: http://twitter.com/harshana05 >> >> >> _______________________________________________ >> Carbon-dev mailing list >> [email protected] >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> >> > > > -- > *Afkham Azeez* > Director of Architecture; WSO2, Inc.; http://wso2.com > Member; Apache Software Foundation; http://www.apache.org/ > * <http://www.apache.org/>** > email: **[email protected]* <[email protected]>* cell: +94 77 3320919 > blog: **http://blog.afkham.org* <http://blog.afkham.org>* > twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> > * > linked-in: **http://lk.linkedin.com/in/afkhamazeez* > * > * > *Lean . Enterprise . Middleware* > > > _______________________________________________ > Carbon-dev mailing list > [email protected] > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > -- Suresh Attanayake Software Engineer; WSO2 Inc. http://wso2.com/ Blog : http://sureshatt.blogspot.com/ Twitter : https://twitter.com/sureshatt LinkedIn : http://lk.linkedin.com/in/sureshatt Mobile : 0770419136,0710467976
_______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
