Jon Stevens wrote:
>
> on 3/2/01 6:06 AM, "GOMEZ Henri" <[EMAIL PROTECTED]> wrote:
>
> > Wby not just use the standard ASF (PGP and md5 signatures)
>
> I have been using that technique for Apache JServ (and the rest of the
> projects that I'm involved with) for years now.
>
> In fact after the white hack break in, I even went back and verified the
> files.
>
> +1
>
Yes, signing the distributions like that does help provide confidence against
trojans. But users having the knowledge and tools to veryify the dist are not as
prevalent. At least when signing jar files, if the user has a JVM, they have
the tools to validate the signature. Plus jar files can be validated by the
JVM itself if the application is being run with the Java SecurityManager and
a configured policy file.
> Signing .jar files is a good idea, but isn't needed for protecting against
> the hacker attacks.
>
> Anyway, instead of discussing this forever until you get so bored with the
> discussion that it doesn't happen (like 90% of the stuff that has been going
> on recently around here), just do it. Make it happen. Take the initiative.
>
Somehow I know you would say that. ;-) Starting this discussion is my
effort to show initiative. I don't have the privileges within the ASF
to make it happen, like obtaining a key in the name of the ASF, or to
implement a secure way to sign jars on the ASF server.
(And I am not asking for them either)
Regards,
Glenn
----------------------------------------------------------------------
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
