on 3/2/01 4:02 PM, "Glenn Nielsen" <[EMAIL PROTECTED]> wrote:
> Yes, signing the distributions like that does help provide confidence against
> trojans. But users having the knowledge and tools to veryify the dist are not
> as
> prevalent. At least when signing jar files, if the user has a JVM, they have
> the tools to validate the signature. Plus jar files can be validated by the
> JVM itself if the application is being run with the Java SecurityManager and
> a configured policy file.
How can you assume that someone would know how to sign (or check the
signature of) a .jar file yet they wouldn't know how to use md5 (fyi: man
md5)?
> Somehow I know you would say that. ;-)
I will keep repeating myself until someone finally listens.
> Starting this discussion is my
> effort to show initiative. I don't have the privileges within the ASF
> to make it happen, like obtaining a key in the name of the ASF, or to
> implement a secure way to sign jars on the ASF server.
> (And I am not asking for them either)
If you not asking for them, then forget your proposal.
Again, I *repeat* that it is all about initiative.
-jon
--
If you come from a Perl or PHP background, JSP is a way to take
your pain to new levels. --Anonymous
<http://jakarta.apache.org/velocity/> && <http://java.apache.org/turbine/>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
