[
https://issues.apache.org/jira/browse/DIRSTUDIO-741?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stefan Seelmann closed DIRSTUDIO-741.
-------------------------------------
Resolution: Fixed
The build process changed completely and the Eclipse artifacts and update site
are no longer signed.
If signing will happen in future can be tracked in
https://issues.apache.org/jira/browse/DIRSTUDIO-1029.
> Update site has self-signed cert that expired months before the 1.5.3 release
> -----------------------------------------------------------------------------
>
> Key: DIRSTUDIO-741
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-741
> Project: Directory Studio
> Issue Type: Bug
> Components: studio-updatesite
> Affects Versions: 1.5.3
> Reporter: Jimmy Kaplowitz
> Assignee: Pierre-Arnaud Marcelot
> Priority: Major
> Labels: security
> Fix For: 2.0.0
>
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> Hi,
> I was just trying to install Apache Directory Studio 1.5.3 from within
> Eclipse 3.7. It's saying that the certificate signing the software (or maybe
> the update site) is both self-signed and expired in January 2010. This is a
> bit more worrying than even having no certificate, since the 1.5.3 release is
> from April 2010, and I'm kind of puzzled that it was signed with a
> certificate that was already several months out of date when the release was
> made, in addition to being self-signed. I'm also trying this more than a year
> after the 1.5.3 release occurred, so the fact that the situation remains as
> I've described is quite worrying from the perspective of having security
> issues noticed and addressed in a timely fashion.
> There are many valid ways to handle the issue of code signing, including
> deciding that it's not useful security to do it at all, making an
> Apache-specific certificate authority, or paying for a commercial certificate
> as is done for the *.apache.org HTTPS web sites. The current situation with
> the Eclipse update site encourages false guarantees of security and, if
> Apache's users are taught to ignore such warnings, exposes them to
> man-in-the-middle or other malicious attacks when they think they are being
> protected by the security reputation of the Apache Software Foundation.
> The time estimate I have given is assuming you decide to generate some new
> certificate by whatever commercial or non-commercial method, and may include
> the time to deal with a vendor and/or rebuild the software. If you simply
> decide to switch your repository to unsigned, my estimate will probably be
> too large.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
