On Thu, 13 Jan 2005 09:26:45 +1100, Brett Porter <[EMAIL PROTECTED]> wrote:
> Hi Steve,
> I'd like to do whatever we can to get better security on this stuff. I
> just need to get my head around what JAR signing provides in
> comparison to key signing, and what impact it might have on existing
> code. I'll read up on it.
it doesnt hit existing code until you run with security turned on.
At that point
-JAR files need to be signed
-you cannot have classes in the same package in >1 jar
I believe the latter only kicks in under a secure classloader; we will
have to check. If it is the case that everything has to be sealed,
then signed jars are a no-starter.
I will get our professionally paranoid security person on the case.
> Is there a rough timeframe on the next Ant release so we can shoot to
> include all of this?
no, no timeframe at all. "when there is something worth delivering".
None of the users are pressing for upgrades, the IDEs are all stable,
etc, etc. Now is the time to get things right.