I think - this needs the use of PGP.
And for signed applets - there is a need for support from JVM.
>SOT, but you have prolly solved this already...
>
>How do you prevent somebody taking a (L)GPL'ed or Open
>source for a JVM and/or core classes, hacking backdoors
>and trojan horses into it, and deploying it? To be
>more precise: sure it'll be either obvious (source is
>there) or illegal (violation of license), but that
>doesn't cut it under all circumstances. Neither does
>certified CRC'ed binaries - some users might *want* to
>install a tampered version locally.
>
>Is there a way to have a technical solution that does a
>runtime identification of classes, native code, and JVM
>in operation that you can't fake even with access to the
>source? Within the Java specs? By some custom addition?
>
>I am facing the problem with respect to client-downloadable
>Java and client-side manual installs of native DLL's, for
>games (so client-side tampering for cheating/internal data
>access is an issue). But similar problems should show up
>with Japhar and Classpath, no? If you hand everybody the
>source, how do you reliably detect malicious derivative
>work?
>
>
> b.
>
