Am Dienstag, den 30.05.2006, 12:35 -0400 schrieb Serge Knystautas: > On 5/29/06, Noel J. Bergman <[EMAIL PROTECTED]> wrote: > > team indicates they don't support. Second, and more importantly, they must > > handle authentication of signed artificts. Without the latter, I would > > sooner include the necessary jars, or require the user to download them > > directly from a vendor site. Automatic downloading and installation without > > verification is wrong, dangerous and irresponsible. I don't mean signed > > jars in the Java sense of jar signing. I mean signed as in the ASF release > > methodology. > > I think this is just a bunch of FUD. Java has survived for 10+ years > without such an attack. There are just too many easier ways to hack > systems. > > Obviously when ant and maven and other methods of automatically > downloading support authentication, then great, but I see this as a > bogus reason to not use automatic downloads. >
I really agree .. bye Norman
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
