Comments on the module-file format
Mark Reinhold
mr at sun.com
Fri Feb 5 12:07:53 PST 2010
> Date: Fri, 05 Feb 2010 10:55:02 +0100
> From: Patrick Wright <pdoubleya at gmail.com>
> I'd like to quickly note three use cases which come up in real-world
> module distribution, ...
>
> 1) The module artifact has a checksum by which the repository manager
> (e.g. Maven) can determine if the local copy of the artifact is
> up-to-date. AFAIK, this is to cover the case that an artifact was
> updated in-place.
The hash in a module file's main header can be used for this purpose.
> This in turn can happen if the distributor makes a
> small mistake in packaging, for example, but does not want to rev the
> version number, or within teams, using a single "snapshot" version
> which is regularly overwritten. ...
I share Brian Pontarelli's concerns regarding in-place updates and
snapshot versions, though in a module system -- as opposed to a build
system -- I'm not sure I'd go so far as to forbid them outright.
> 2) An open source project publishes a key by which the artifact can be
> verified as authentic. Most often I've seen this in projects from
> Apache, where the end user is asked to verify the artifact manually
> after download, and the hash is posted on a web page. AFAIK, the use
> case is to verify that the artifact was not swapped or tampered with
> by some third-party on the hosting servers.
This convention is common; it's not specific to Apache. It's susceptible
to the obvious man-in-the-middle attack, however, so you can't completely
trust it.
> 3) Signed JARs, which we already know about.
>
> Given the increasing reliance I see in my own team and among my
> colleagues elsewhere on open source software, it seems that having a
> standard, fairly straightforward and at best automated way to handle
> case #2 would be valuable.
That case will be handled automatically. A module-file repository will
have a catalog which includes the hash of every published module file,
and the downloader will check that the hash of a newly-downloaded module
file matches the corresponding hash in the catalog.
- Mark
More information about the jigsaw-dev
mailing list