Some offhand questions

Alan Bateman alan.bateman at oracle.com
Sat Aug 24 14:21:28 UTC 2024



On 23/08/2024 23:04, Cesar Soares Lucas wrote:
> Hello!
>
> I've a few questions that I'd like to ask your opinion about.
>
> - Signed Jars: As far as I understand, we currently don't include classes from signed jars in the CDS archive. What is the reason for that? I had the impression that being able to archive such classes would be important given that many .jars are signed?!
>
As a general point, signed JARs on the class path or module path aren't 
all that useful. It's very different to a signed JAR loaded from a 
remote site where the JDK would need a lot more infrastructure to 
validation certificate chains. There has been consideration on and off 
for many years about dropping the support for JAR files on the class 
path (and module path). The nice thing about dropping this (only from 
the class path and module path) is that it would avoid executing a lot 
of problematic security code when open JAR files.

-Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/leyden-dev/attachments/20240824/ce5f0218/attachment.htm>


More information about the leyden-dev mailing list