So it's possible for another process to tamper with jars and have Eclipse run them blindly.
Do we know if that is industry practice? On 2020-09-24 12:07 p.m., Thomas Watson wrote: > Yes, p2 verifies the signatures and content of the JARs to confirm it > hasn't been tampered with before installing the JAR. At runtime the > verification of JARs is not enabled by default. Otherwise what you > did would have resulted in a runtime exception for the class you changed. > > > Tom > > > > > ----- Original message ----- > From: Wim Jongman <wim.jong...@gmail.com> > Sent by: cross-project-issues-dev-boun...@eclipse.org > To: Cross project issues <cross-project-issues-dev@eclipse.org> > Cc: > Subject: [EXTERNAL] [cross-project-issues-dev] (Mirror) security > Date: Thu, Sep 24, 2020 10:18 AM > > Hi, > > This is probably a silly question but I was wondering how we > protect the content of jar files as they are being pulled from > mirrors all over the world. > > Due to a recent break in the Platform class, I compiled my own > version of the Platform class where I re-added the removed method. > Then I replaced it in the plugins/o.e.c.runtime jar using 7-zip. > > This solved my issue but it also made me wonder how this was > protected if some mirror-server user used the same hack to dope > our jars. > > I assume this is being done by p2 when downloading the jar files > by comparing some MDA hash? > > Please enlighten me. > > Cheers, > > Wim > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev > > > > > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev -- *Denis Roy* *Director, IT Services | **Eclipse Foundation, Inc.* /Eclipse Foundation/ <http://www.eclipse.org/>/: The Platform for Open Innovation and Collaboration/ Twitter: @droy_eclipse
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
