Module file parse API
Paul Sandoz
paul.sandoz at oracle.com
Thu Jun 21 06:44:48 PDT 2012
On Jun 21, 2012, at 3:00 PM, Sean Mullan wrote:
>>
>> No. Not someone but something by non-nefarious means :-) Bit rot on network transmission or on disk.
>
> I don't know it still seems like unnecessary overhead for an extremely small likelihood.
http://en.wikipedia.org/wiki/ZFS#Data_Integrity
Given the potentially large number of copies of stuff obtained from a central repository, that is probably replicated around the world and has to keep stuff for a reasonable amount of time (10 years or more) and is backed up many times, perhaps that likelihood increases?
I would prefer to use ZFS to host a file-based repository :-)
> And wouldn't the entire file including the hashes be suspect then?
>
As Chris said a consumer may only want to look at some section, e.g. the module declaration, or the classes.
> The hashes aren't even useful for signatures. This is because the signer *must* generate the hashes itself, and then generate a signature over them inside a PKCS#7 SignedData blob. It doesn't even use the existing hashes, so they are just extra duplication.
>
Agreed. They are not relevant for signing.
Paul.
More information about the jigsaw-dev
mailing list