container format for jigsaw modules

[Roger Riggs]

Hi,

A couple of comments:

1) I don't see requirements related to security except for hashes that  
allow
checking of the integrity of the container and contents.
The Java security mechanisms are in most cases based on authentication  
of the source
of the class files that can be verified using pki (signed JARs in the  
current system.)
There should be a requirement to be able to verify the contents as  
various levels.
The granularity should be variable to match the components extracted  
and used from
the container.

2) To allow dynamic loading of dependencies each container should be  
able to
include the URI/URL of the other modules it depends on.  In a lightly  
administered
application, the URLs can be used directly to download missing  
dependencies.
In a more controlled environment the URIs can be used to lookup where  
to find
missing dependencies.  Another alternative would be identify only the  
URL
of a service that would provide the modules.

3) In JavaME, small application descriptors were used to be able to  
download the meta-data
for an application/library. It is possible to download the descriptors  
ahead of the bulk
of the application's JARs and libraries and be able to verify  
dependencies and whether
the components are already present.  It is an opportunity to eliminate  
transfers when they
are not needed.  The key information need to be sufficient to validate  
the dependencies
are or are not met with current modules.  This allows the entire graph  
to be checked before
downloading the bulk of the data.

4) Have you considered being able to use RTSP (Streaming protocol) for  
the transport.
Though it is typically associated more with media than application  
delivery it supports random access.

I'll have to take a look at XAR and see how these are handled.

Roger