Peter Firmstone wrote:
We can base Codebase trust on:
1. Certificates[] "Who wrote it?"
2. CodeSource "Who wrote it and the name of the Codebase?"
Just a minor clarification, a CodeSource object's state, is the URL and
the signer Certificates[], so it's currently "Who signed it, where it
comes from and its name", I'd like to change that to "Who signed it,
what's its name and version" Lets hope the original developer signs it
or the people who do sign it can "vet the code" so we can equate
developers with Certificates[]. I'd like to take location out of the
equation for systems like Maven and OSGi.
Cheers,
Peter.
