Hi Suresh, On Fri, Jan 13, 2012 at 9:34 AM, Suresh Attanayaka <[email protected]> wrote:
> > > On Wed, Jan 11, 2012 at 12:00 PM, Afkham Azeez <[email protected]> wrote: > >> +1. this will reduce the product build time by about 60%. Sanjaya, in our >> Stratos setup script, by default, let's do the jar signing, using the >> private key in the carbon.jks by default. Let's make the keystore a >> configurable parameter so that a different one can be used during setup. >> >> Why do we have to sing these jars? Signing jars with a publicly available > key and having default policy to go with that key is dangerous. Say a user > has installed Stratos without changing the default policy, then someone can > create a malicious jar and sign it with the publicly available private key > in the carbon.jks and put it into that Stratos instance, that jar would > face no difficulties since the default policy is accepting this jar as > a legitimate jar. > The best practice is to leave the jars unsigned and let the application > run in a sandbox so that it will not execute any potentially dangerous > code. I think if we really want to sign the jars, we shouldn't sing them > with a publicly available key and there shouldn't be any policy to accept > such keys. please correct me if I've mistaken. > For SLive production systems we sign the jars using a different keystore(stratos.jks), not with with wso2carbon.jks. thanks, > > Thanks, > Suresh > > >> On Wed, Jan 11, 2012 at 11:54 AM, Harshana Martin <[email protected]>wrote: >> >>> Hi All, >>> >>> As per offline discussion had with Azeez and Shankar, we are planning to >>> move Jar Signing process to a separate maven profile in order to improve >>> the Carbon Build time. >>> >>> Idea is to avoid Jar signing for normal builds since it consumes lot of >>> time and it is not required for normal users. if someone wants it, they can >>> use the maven profile. >>> >>> Thanks and Regards, >>> Harshana >>> -- >>> Harshana Martin >>> Software Engineer >>> WSO2 Inc. >>> Web:http://wso2.com >>> http://wso2.org >>> >>> Mobile: +94 716062650 >>> Blog: http://harshana05.blogspot.com >>> Profile: https://www.google.com/profiles/harshana05 >>> Twitter: http://twitter.com/harshana05 >>> >>> >>> _______________________________________________ >>> Carbon-dev mailing list >>> [email protected] >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >>> >> >> >> -- >> *Afkham Azeez* >> Director of Architecture; WSO2, Inc.; http://wso2.com >> Member; Apache Software Foundation; http://www.apache.org/ >> * <http://www.apache.org/>** >> email: **[email protected]* <[email protected]>* cell: +94 77 3320919 >> blog: **http://blog.afkham.org* <http://blog.afkham.org>* >> twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez> >> * >> linked-in: **http://lk.linkedin.com/in/afkhamazeez* >> * >> * >> *Lean . Enterprise . Middleware* >> >> >> _______________________________________________ >> Carbon-dev mailing list >> [email protected] >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> >> > > > -- > Suresh Attanayake > Software Engineer; WSO2 Inc. http://wso2.com/ > Blog : http://sureshatt.blogspot.com/ > Twitter : https://twitter.com/sureshatt > LinkedIn : http://lk.linkedin.com/in/sureshatt > Mobile : 0770419136,0710467976 > > > _______________________________________________ > Carbon-dev mailing list > [email protected] > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > -- Supun Malinga, Software Engineer, WSO2 Inc. http://wso2.com http://wso2.org email - [email protected] <[email protected]> mobile - 071 56 91 321
_______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
