Hi,
We at Apache are interested in setting up an Apache wide Eclipse
update site. Several concerns have been brought up which I've not
been able to find answers to and I'm hoping that sending a note here
might lead me in the right direction :)
So our primary concern is with signed jars on the update site. The
update site currently for the "Apache Geronimo" project currently has
feature and plugin jars that are signed and the signatures exists in
the same directory as each of the plugins/features. However when
using the update manager to install the features, it looks as if the
jar validation is not occuring as the warning message "... not
digitally signed" appears. So question 1 is... what are the steps
to correctly enable this jar validation?
Secondly, can mirroring be supported without having the site.xml
having to exist on the mirror sites as well? Does the mirror site
require a copy of the site.xml or can it somehow be configured to
reuse the site.xml you're pointing to originally? For the geronimo
case, not mirroring the site.xml seems to invalidate the mirror
site. Our concern is with the mirror site being spoofed and the
possibility of site.xml being modified to point to bad jars. I've
been told that xml can be signed, but can eclipse validate the
consistency of the site.xml?
Finally, we're wanting to set up a seperate subdomain for the eclipse
update site and are looking into names. Who can I talk to ensure
that none of choices break any eclipse trademarks? (example...
www.eclipse.apache.org)
Any answers would be appreciated or point me to the correct people.
Thank you.
- sachin
