On Tue, 7 Sep 2021 07:12:29 GMT, Alan Bateman <al...@openjdk.org> wrote:
>> There is a bug for URLClassPath.findResources with JarIndex.
>> With some discussions about the bug, the current priority is to remove the
>> JAR index support in URLClassPath,
>> and don’t need to do anything to the jar tool in the short term, except just
>> to move JarIndex to the jdk.jartool module.
>>
>> The PR includes:
>> 1. remove the JarIndex support in URLClassPath
>> 2. move JarIndex into jdk.jartool module.
>
> src/java.base/share/classes/java/util/jar/JarVerifier.java line 147:
>
>> 145:
>> 146: if (uname.equals(JarFile.MANIFEST_NAME) ||
>> 147: uname.equals(JarFile.INDEX_NAME)) {
>
> It would be useful if someone from security-libs could comment on this. The
> interaction between signed JAR and JAR index isn't very clear. The change you
> have is safe but it might be that we can drop the checking for INDEX.LIST
> here.
I am thinking this line should not be removed for compatibility with existing
JARs that have indexes.
-------------
PR: https://git.openjdk.java.net/jdk/pull/5383
