[jira] [Created] (DIRSTUDIO-741) Update site has self-signed cert that expired months before the 1.5.3 release

Wed, 31 Aug 2011 15:27:40 -0700 

Update site has self-signed cert that expired months before the 1.5.3 release
-----------------------------------------------------------------------------

                 Key: DIRSTUDIO-741
                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-741
             Project: Directory Studio
          Issue Type: Bug
          Components: studio-updatesite
            Reporter: Jimmy Kaplowitz


Hi,

I was just trying to install Apache Directory Studio 1.5.3 from within Eclipse 
3.7. It's saying that the certificate signing the software (or maybe the update 
site) is both self-signed and expired in January 2010. This is a bit more 
worrying than even having no certificate, since the 1.5.3 release is from April 
2010, and I'm kind of puzzled that it was signed with a certificate that was 
already several months out of date when the release was made, in addition to 
being self-signed. I'm also trying this more than a year after the 1.5.3 
release occurred, so the fact that the situation remains as I've described is 
quite worrying from the perspective of having security issues noticed and 
addressed in a timely fashion.

There are many valid ways to handle the issue of code signing, including 
deciding that it's not useful security to do it at all, making an 
Apache-specific certificate authority, or paying for a commercial certificate 
as is done for the *.apache.org HTTPS web sites. The current situation with the 
Eclipse update site encourages false guarantees of security and, if Apache's 
users are taught to ignore such warnings, exposes them to man-in-the-middle or 
other malicious attacks when they think they are being protected by the 
security reputation of the Apache Software Foundation.

The time estimate I have given is assuming you decide to generate some new 
certificate by whatever commercial or non-commercial method, and may include 
the time to deal with a vendor and/or rebuild the software. If you simply 
decide to switch your repository to unsigned, my estimate will probably be too 
large.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to