[icedtea-web] RFC: do not check INDEX.LIST for being signed

Deepak Bhole dbhole at redhat.com
Thu Mar 24 10:34:11 PDT 2011

* Omair Majid <omajid at redhat.com> [2011-03-24 12:53]:
> On 03/24/2011 10:41 AM, Deepak Bhole wrote:
> >* Omair Majid<omajid at redhat.com>  [2011-03-24 10:36]:
> >
> Hm... we dont. I now recall that I ran through this code (at the
> time I originally posted the patch) and verified that all code
> loaded using INDEX.LIST is running as untrusted (doesnt matter if
> the orignal jars are trusted or not). But it did seem a little
> brittle. On second thought, how about we put this off until we have
> a security system in place so we can actually verify the jars?

Sure, sounds good to me! The shouldn't be that many signed jars out
there with unsigned indexes. I don't imagine this issue affecting too
many users.


More information about the distro-pkg-dev mailing list