Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[cross-project-issues-dev] A caution on signed/unsigned jars (especially from Orbit)

At the Orbit status call today, I drew the short straw to write this "caution" about some Orbit bundles.
(Which is only fair, since I brought it up :)

As everyone probably knows, some bundles are purposely distributed by multiple projects.

And, some projects sign their bundles, and some do not.

This combination gives rise to some cases where some bundles with identical names and versions
are distributed, but not quite identical ... the executable code is identical, but some are signed, some are not.

One example we noticed in WTP is javax.servlet.jsp ... the platform signs it, we in WTP do not.
The signed jars are slightly larger in size than their unsigned counterparts.

One reason this might be an issue, is that signed jars can potentially have performance implications,
so, could theoretically effect "final testing", or could effect "performance in the field", depending on what the user
ends up with in their installation.

Consumers of Europa should be aware of this, since it may effect how they want to "build" their
distributions. Typically people should keep a signed jar, if there is one, and not replace it with an unsigned jar.

I know the way I sometimes install is to unzip the platform, and then unzip WTP, saying to automatically replace
existing files (since otherwise I am prompted a number of times if I want to replace certain redundant
legal files ... .which is a whole other bag of worms :). So ... I think from now on I will not do this automatic replacement!

There is no known "real" problem with this issue we know of, but we thought it best to make everyone
aware the issue, if you were not already.  

For next release, I think we will all sign, and we will sign in Orbit, so should not be a problem then.

Back to the top