Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Oomph » Checksum Validation of Installed Packages(Validating packages installed by Oomph)
Checksum Validation of Installed Packages [message #1761183] Mon, 08 May 2017 15:38 Go to next message
Virginia Pierson is currently offline Virginia PiersonFriend
Messages: 2
Registered: May 2017
Junior Member
Does the Oomph installer do any automatic validation of the packages it downloads/installs from mirror sites? Or is this something you have to try and implement yourself?
Re: Checksum Validation of Installed Packages [message #1761304 is a reply to message #1761183] Tue, 09 May 2017 15:03 Go to previous messageGo to next message
Denis Roy is currently offline Denis RoyFriend
Messages: 451
Registered: October 2004
Location: Ottawa, Ontario, Canada
Senior Member

Packages that are downloaded are signed, and Eclipse does validate those digital signatures.

Denis Roy
Eclipse Webmaster -- webmaster@eclipse.org
Re: Checksum Validation of Installed Packages [message #1761307 is a reply to message #1761304] Tue, 09 May 2017 15:12 Go to previous messageGo to next message
Ed Merks is currently offline Ed MerksFriend
Messages: 29646
Registered: July 2009
Senior Member
Oomph does no more or less checking than p2 itself does when you install something into an IDE. All signed artifacts are verified, any before any unsigned artifact is installed, you will be asked if that's okay. So if you unless you install unsigned things, you can be sure you're really installing what you're expecting to be installing.
Re: Checksum Validation of Installed Packages [message #1764494 is a reply to message #1761307] Tue, 30 May 2017 13:39 Go to previous messageGo to next message
Virginia Pierson is currently offline Virginia PiersonFriend
Messages: 2
Registered: May 2017
Junior Member
Does it also do any checksum validation, like with the SHA or something else? Or is it just the signature, so that if you're downloading unsigned packages you have no way of knowing whether or not it's what you expect?
Re: Checksum Validation of Installed Packages [message #1764501 is a reply to message #1764494] Tue, 30 May 2017 14:45 Go to previous message
Ed Merks is currently offline Ed MerksFriend
Messages: 29646
Registered: July 2009
Senior Member
I suppose unsigned jars could be tampered.
Previous Topic:CI Testing of Setups
Next Topic:Adding update repository to Eclipse Installer
Goto Forum:
  


Current Time: Mon Nov 12 17:33:00 GMT 2018

Powered by FUDForum. Page generated in 0.02082 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top