The codebase is signed and download permission is granted only to the signed codebase.
Sent from my Samsung device. Include original message ---- Original message ---- From: Michał Kłeczek <mic...@kleczek.org> Sent: 14/02/2017 01:27:09 am To: dev@river.apache.org Subject: Re: OSGi NP Complete Was: OSGi - deserialization remote invocation strategy See below. Peter wrote: > Using one of the secure discovery providers with authentication and input >validation. Download and deserialization permissions are granted dynamically >just after authentication, but before download. But now you just moved trust decisions to SafeServiceRegistrar implementation. It is even worse than with "CodeDownloadingSmartProxyWrapper" because SafeServiceRegistrar implementation classes are dynamically downloaded while the CodeDownloadingSmartProxyWrapper class is local. Thanks, Michal