Signed code only helps to identify a signer. You still have to trust the
signer or not.
- Alexey
--
{ http://trelony.cjb.net/ } Alexey N. Solofnenko
{ http://www.inventigo.com/ } Inventigo LLC
Pleasant Hill, CA (GMT-8 usually)
----- Original Message -----
From: "Steve Loughran" <[EMAIL PROTECTED]>
To: "Ant Users List" <[EMAIL PROTECTED]>
Sent: Friday, November 08, 2002 2:50 PM
Subject: Re: Ant you have a greeting card from Daisy.
> BTW: http://www.messagelabs.com/viruseye/report.asp?id=111
>
oh, this page also implies it uses a JAR based install too. So maybe having
java installed in your web browser is a vulnerability.
As an aside, this exposes a flaw in signed code. Signed code says it hasnt
been tampered with, it doesnt guarantee that the code isnt malicious. Even
if sun, netscape and MS went and revoked the relevant code signatures, they
could just buy new signatures and resign everything. Sandboxes are all that
you can trust.
-steve
--
To unsubscribe, e-mail: <mailto:ant-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:ant-user-help@;jakarta.apache.org>
--
To unsubscribe, e-mail: <mailto:ant-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:ant-user-help@;jakarta.apache.org>
