On 05/11/2018 13:05, Langer, Christoph wrote:
Hi Alan, all,
I’d welcome a discussion, for sure. Unfortunately there hasn’t been so
much participation in this yet. I think this is an item where it’s
hard to have a clear opinion and where it’s difficult to oversee all
implications it might have.
Who’d be willing to have a look from security perspective?
I think you'll need to do a write-up of the overall proposal so that
folks can jump in and point out the implications. It's not easy to do
this in a code review of a small piece of the solution. I suspect that
security-dev will be interested in the details for signed JARs as I
don't think the current proposal prevents tampering of the file permissions.
-Alan.
