On Tue, 20 Sep 2022 17:37:50 GMT, Alan Bateman <al...@openjdk.org> wrote:

>>> > OK, will make another pass at this today
>>> 
>>> I looked at the latest draft 
>>> ([2bafc00](https://github.com/openjdk/jdk/commit/2bafc00cc462b7af3f724371ac1bef5fd99c989c)).
>>>  I think it would help if the section "Verifying a JarInputStream" were 
>>> renamed to "Signed JAR files".
>> 
>> OK, I will change as you suggest
>> 
>>  The link to getManifest makes the reader wonder if they have to call this 
>> method whereas I think what you want to say that the manifest must be at the 
>> start of the stream (as per the first section) and then followed by 
>> signature entries.
>> 
>> The reason I used the getManifest wording is I felt it was easier and less 
>> redundant than copying the wording about the Manifest needing to be either 
>> the first or second entry (assuming META-INF/ is the first in the stream).  
>> However if you prefer that, I will make that change.
>
> Thanks for the updates in 69138715.  Just one comment on the updated text, 
> and specifically this sentence:
> 
> + *  A {@code JarInputStream} may be used to verify the signatures of a
> + *  <a href="{@docRoot}/../specs/jar/jar.html#signed-jar-file">signed JAR 
> file</a>
> + *  assuming the following requirements are met:
> 
> The signatures are verified by default so I think you can reduce this down to:
>  
> A {@code JarInputStream}  verifies the signatures of entries in a <a 
> href="{@docRoot}/../specs/jar/jar.html#signed-jar-file">Signed JAR file</a>  
> when:
> 
> We could say that a program could opt-out of verification by using the 2-arg 
> constructor but that is probably too much to try to fit in here.

> Thanks for the updates in 
> [6913871](https://github.com/openjdk/jdk/commit/691387157f01602ee25a1887223e00f880d071d1).
>  Just one comment on the updated text, and specifically this sentence:
> 
> * * A {@code JarInputStream} may be used to verify the signatures of a
> * * [signed JAR file]({@docRoot}/../specs/jar/jar.html#signed-jar-file)
> * * assuming the following requirements are met:
> 
> The signatures are verified by default so I think you can reduce this down to:
> 
> A {@code JarInputStream} verifies the signatures of entries in a [Signed JAR 
> file]({@docRoot}/../specs/jar/jar.html#signed-jar-file) when:
> 
> We could say that a program could opt-out of verification by using the 2-arg 
> constructor but that is probably too much to try to fit in here.

Updated per your suggestion above.

-------------

PR: https://git.openjdk.org/jdk/pull/10045

Reply via email to