Serge Knystautas wrote:
On 5/29/06, Noel J. Bergman <[EMAIL PROTECTED]> wrote:
team indicates they don't support. Second, and more importantly, they
must
handle authentication of signed artificts. Without the latter, I would
sooner include the necessary jars, or require the user to download them
directly from a vendor site. Automatic downloading and installation
without
verification is wrong, dangerous and irresponsible. I don't mean signed
jars in the Java sense of jar signing. I mean signed as in the ASF
release
methodology.
I think this is just a bunch of FUD. Java has survived for 10+ years
without such an attack. There are just too many easier ways to hack
systems.
Obviously when ant and maven and other methods of automatically
downloading support authentication, then great, but I see this as a
bogus reason to not use automatic downloads.
+1
Automatic download is an optional feature: if you want to manually
download you can. If you like to automatically download then manually
check signatures you can either.
In fact the download itself has nothing to do with verification. If you
manually download the jars you should check the signature anyway because
vendor sites are not much more difficult to be spoofed than ibiblio.
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
