Proposal: mandatory versioning metadata for modules

Hendy Irawan hendy at soluvas.com
Thu Oct 25 04:50:55 PDT 2012 

Hi all,

Regardless of security concerns (of which versioning is only little help),
I support making versions mandatory.

Is there a formal process for accepting this proposal ?

Hendy

On Thu, Oct 25, 2012 at 6:29 PM, Alan Bateman <Alan.Bateman at oracle.com>wrote:

> On 25/10/2012 06:03, David Jorm wrote:
>
>> Hi All
>>
>> I am currently working on a system for tracking JAR files that expose
>> known security flaws, identifying them by checksums or metadata. In short,
>> both of these mechanisms have shortcomings. Checksums of JAR files provide
>> zero false positives, but have huge scope for false negatives. Whenever a
>> JAR is re-compiled, bits in the JAR change and the checksum changes.
>> Metadata is unreliable, as META-INF/MANIFEST.MF does not require the
>> inclusion of title and version elements. A more detailed overview is
>> available here [0]. To give an example of the problem I'm attempting to
>> solve, Spring 2.5.6 exposes a remote code execution flaw. It is fixed in
>> Spring 2.5.6.SEC01. I want to be able to distinguish between 2.5.6 and
>> 2.5.6.SEC01 to identify whether a system is deploying the vulnerable JAR. I
>> can't
>> just use a checksum of the file, because if anyone recompiles it, bits
>> change. I also can't rely on the MANIFEST.MF, because it may or may not
>> include any version data; it may not even identify the title of the
>> component as "Spring".
>>
>> The Jigsaw project offers a great opportunity to solve this problem.
>> However, I note in the documentation [1]:
>>
>> "A /module/ is a collection of Java types (/i.e./, classes and
>> interfaces) with a name, an optional version number, and a formal
>> description of its relationships to other modules."
>>
>> The problem here is "optional" version number. What I'm trying to achieve
>> is mandatory minimal version metadata. What do people think about making
>> version number a requirement for Jigsaw modules? Would that be feasible and
>> if so would it be desirable?
>>
>> Thanks
>>
> I could imagine module repositories having policies to require all modules
> hosted in the repository to have a version number.
>
> On blacklisting JAR files then just an FYI that Sun/Oracle's JDK has had
> support for blacklisting of signed JAR files [1] for some time (this is
> pluging/webstart so I can't point to you something in OpenJDK). Jigsaw
> already has signed modules, I could imagine in time having blacklisting of
> signed modules too.
>
> -Alan.
>
> [1] http://docs.oracle.com/javase/**7/docs/technotes/guides/**
> security/blacklistfeature.html<http://docs.oracle.com/javase/7/docs/technotes/guides/security/blacklistfeature.html>
>



-- 
Hendy Irawan - on Twitter <http://twitter.com/hendybippo> - on
LinkedIn<http://id.linkedin.com/in/hendyirawan>
Web Developer | Bippo Indonesia <http://www.bippo.co.id/> | Akselerator
Bisnis | Bandung

More information about the jigsaw-dev mailing list