RFR: 8215788: Clarify JarInputStream Manifest access [v7]
Lance Andersen
lancea at openjdk.org
Mon Sep 19 10:23:47 UTC 2022
On Mon, 19 Sep 2022 06:45:13 GMT, Alan Bateman <alanb at openjdk.org> wrote:
> I realise you've had a few iterations with Max on this section but I'm concerned that the text is telling the reader that they should use the 2-arg constructor to verify the signatures when a JAR is signed. The default is to verify and the main reason to use the 2-arg constructor is when you want to opt out, not opt-in.
>
> I think the intro to this section will need to start with a sentence to say that JAR files can be signed (link to specs/jar/jar.html#signed-jar-file) and that JarInputStream can read a signed JAR from the input stream. As per the description further up, the manifest must be at the start of the stream.
OK, will make another pass at this today
-------------
PR: https://git.openjdk.org/jdk/pull/10045
More information about the core-libs-dev
mailing list