On 5/29/06, Noel J. Bergman <[EMAIL PROTECTED]> wrote:
team indicates they don't support. Second, and more importantly, they must handle authentication of signed artificts. Without the latter, I would sooner include the necessary jars, or require the user to download them directly from a vendor site. Automatic downloading and installation without verification is wrong, dangerous and irresponsible. I don't mean signed jars in the Java sense of jar signing. I mean signed as in the ASF release methodology.
I think this is just a bunch of FUD. Java has survived for 10+ years without such an attack. There are just too many easier ways to hack systems. Obviously when ant and maven and other methods of automatically downloading support authentication, then great, but I see this as a bogus reason to not use automatic downloads. -- Serge Knystautas Lokitech >> software . strategy . design >> http://www.lokitech.com p. 301.656.5501 e. [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]