On Tue, 7 Sep 2021 07:12:29 GMT, Alan Bateman <al...@openjdk.org> wrote:

>> There is a bug for URLClassPath.findResources with JarIndex.
>> With some discussions about the bug, the current priority is to remove the 
>> JAR index support in URLClassPath, 
>> and don’t need to do anything to the jar tool in the short term, except just 
>> to move JarIndex to the jdk.jartool module. 
>> 
>> The PR includes:
>> 1. remove the JarIndex support in URLClassPath
>> 2. move JarIndex into  jdk.jartool module.
>
> src/java.base/share/classes/java/util/jar/JarVerifier.java line 147:
> 
>> 145: 
>> 146:                 if (uname.equals(JarFile.MANIFEST_NAME) ||
>> 147:                         uname.equals(JarFile.INDEX_NAME)) {
> 
> It would be useful if someone from security-libs could comment on this. The 
> interaction between signed JAR and JAR index isn't very clear. The change you 
> have is safe but it might be that we can drop the checking for INDEX.LIST 
> here.

I am thinking this line should not be removed for compatibility with existing 
JARs that have indexes.

-------------

PR: https://git.openjdk.java.net/jdk/pull/5383

Reply via email to