[icedtea-web] RFC: do not check INDEX.LIST for being signed
Deepak Bhole
dbhole at redhat.com
Thu Mar 24 10:34:11 PDT 2011
* Omair Majid <omajid at redhat.com> [2011-03-24 12:53]:
> On 03/24/2011 10:41 AM, Deepak Bhole wrote:
> >* Omair Majid<omajid at redhat.com> [2011-03-24 10:36]:
<snip>
> >
>
> Hm... we dont. I now recall that I ran through this code (at the
> time I originally posted the patch) and verified that all code
> loaded using INDEX.LIST is running as untrusted (doesnt matter if
> the orignal jars are trusted or not). But it did seem a little
> brittle. On second thought, how about we put this off until we have
> a security system in place so we can actually verify the jars?
>
Sure, sounds good to me! The shouldn't be that many signed jars out
there with unsigned indexes. I don't imagine this issue affecting too
many users.
Cheers,
Deepak
More information about the distro-pkg-dev
mailing list