-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> 1. JNLP apps should be signed if they are to have total access to the >> end user's system. Moreover, _all_ jars downloaded by the app should be >> signed as well, or placed in the Java's lib directory manually by the >> user. This applies _specifically_ to all native libraries. Unsigned JNLP >> apps run in a sandbox similar to applets. > > Yes, could be signed with a self-signed certificate as it's now.
Definitely. As far as I understand, self-signed certificates aren't safe from MITM attack, but for our purposes it is irrelevant, that's true. >> 2. There's no way to guarantee a certain application path (for example, >> to keep the log file). The place where JNLP-installed application will >> reside is entirely implementation-dependent and is (usually) not obvious >> to the user. >> > > agreed, that's the main issue Definitely. JNLP app can ask for persistent storage - but it should provide its own means of displaying its contents. Otherwise, we can ask for log file name, etc on first launch. >> 3. JNLP insures that app files are up-to-date on each application >> launch, and forces updates if necessary. If general, JNLP gives user >> _absolutely_ no choice as to what version will be installed. What if in >> the future, Freenet's site will become compromised and an "evilly" >> modified version will silently get installed on _all_ of the users' >> computers when Freenet is next launched? >> > > well as they are signed :/ was the old wininstaller asking for a grant ? Sorry if I haven't been clear. I'm not afraid of the malicious code as such - I'm afraid that with JWS/JNLP you are _guaranteed_ to get it, against your wishes (until you manually mess with JSW settings, which 99% of people won't do). With wininstaller you have a choice of running the wininstaller or the update app. With JNLP, you don't. >> 4. There's no simple way to transfer JVM parameters to a JNLP-launched >> app, save for a very limited set. >> > > There is a JvmArg parameter or something like that Hmm... Haven't looked into this, really, for my uses default behavior was sufficient, and we switched to JNLP wrapper later on in the project, which made the point moot. I just recall from JNLP spec that there were some parameters for setting min/max heap size, and just a couple of others. >> What could be created is a JNLP installer/wrapper (such as the one from >> http://www.duckcreeksoftware.com, which is freely available for >> non-profit projects, BTW). It can then allow a choice between several >> different versions, optional libraries, etc. But if we're going to do >> this, why not use something like IzPack? > > Well, that's basically what ant-installer was supposed to do :) IzPack > looks nicer :) Oh, I see. Ok then. Regards, Victor Denisov. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEDcJdZNYkuHT6CyURAknmAKDumX2Qc6tz/uxHQvdQcDOf9b87SQCfUidY VQLgjwxuicN2CQkihB2Fbb4= =hiU4 -----END PGP SIGNATURE-----
