Steve Loughran's had some interesting things to say on this on [email protected] over the last year or so. Basically that in his opinion jar signing plain didn't work and we shouldn't be bothering with it.
Have you had good fortune with jar signing, or are you like me - it's an idea that you've never had time to pursue? Hen On 3/2/06, Sandy McArthur <[EMAIL PROTECTED]> wrote: > The discussion on signing releases with PGP led me to wonder why jar's > aren't signed with the jarsigner tool? As Java centric as Jakarta is, > now that I think about it, it seems kind of strange that the "java > way" of signing code isn't used. I'm not suggesting replacing the PGP > sigs on releases, jarsigner doesn't do much with tarballs. > > Eg: having HttpClient signed would let an admin express with the Java > security model that a web app cannot open sockets unless it's being > made by an official version of HttpClient. Or that a webapp cannot > create temp files except by a signed FileUpload lib. > > http://java.sun.com/docs/books/tutorial/security1.2/toolsign/ > http://java.sun.com/j2se/1.3/docs/tooldocs/solaris/jarsigner.html > -- > Sandy McArthur > > "He who dares not offend cannot be honest." > - Thomas Paine > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
