Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Oomph » Checksum Validation of Installed Packages(Validating packages installed by Oomph)
Checksum Validation of Installed Packages [message #1761183] Mon, 08 May 2017 15:38 Go to next message
Virginia Pierson is currently offline Virginia PiersonFriend
Messages: 2
Registered: May 2017
Junior Member
Does the Oomph installer do any automatic validation of the packages it downloads/installs from mirror sites? Or is this something you have to try and implement yourself?

Report message to a moderator

Re: Checksum Validation of Installed Packages [message #1761304 is a reply to message #1761183] Tue, 09 May 2017 15:03 Go to previous messageGo to next message
Denis Roy is currently offline Denis RoyFriend
Messages: 449
Registered: October 2004
Location: Ottawa, Ontario, Canada
Senior Member
Packages that are downloaded are signed, and Eclipse does validate those digital signatures.

Denis Roy
Eclipse Webmaster -- webmaster@eclipse.org

Report message to a moderator

Re: Checksum Validation of Installed Packages [message #1761307 is a reply to message #1761304] Tue, 09 May 2017 15:12 Go to previous messageGo to next message
Ed Merks is currently offline Ed MerksFriend
Messages: 29545
Registered: July 2009
Senior Member
Oomph does no more or less checking than p2 itself does when you install something into an IDE. All signed artifacts are verified, any before any unsigned artifact is installed, you will be asked if that's okay. So if you unless you install unsigned things, you can be sure you're really installing what you're expecting to be installing.

Report message to a moderator

Re: Checksum Validation of Installed Packages [message #1764494 is a reply to message #1761307] Tue, 30 May 2017 13:39 Go to previous messageGo to next message
Virginia Pierson is currently offline Virginia PiersonFriend
Messages: 2
Registered: May 2017
Junior Member
Does it also do any checksum validation, like with the SHA or something else? Or is it just the signature, so that if you're downloading unsigned packages you have no way of knowing whether or not it's what you expect?

Report message to a moderator

Re: Checksum Validation of Installed Packages [message #1764501 is a reply to message #1764494] Tue, 30 May 2017 14:45 Go to previous message
Ed Merks is currently offline Ed MerksFriend
Messages: 29545
Registered: July 2009
Senior Member
I suppose unsigned jars could be tampered.

Report message to a moderator

Previous Topic:CI Testing of Setups
Next Topic:Adding update repository to Eclipse Installer
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Sep 22 06:49:17 GMT 2018

Powered by FUDForum. Page generated in 0.02058 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly