I know we've just finished Ganymede
M5 ... well, not even sure it is completely finished yet ... but for those
of you that have
started on your M6 work, there is a
I-build from Orbit that is the
first to have signed bundles.
Hopefully this is only goodness, but
there is some chance for complications and we in Orbit
can never know about it, so we depend
on consuming projects to let us know if problems.
So ... good time to get started for
The main problem to watch for is that
there could end up being some (large) performance penalty
in some cases. From the Platform's experiences,
this can occur if the code uses it's own custom
classloaders and ends up re-loading
(and hence re-verifying) the class over and over again.
Some of you projects may have already
been signing these jars as part of your own build process.
As far as we can tell, it doesn't hurt
if you continue to do so. From our tiny experiments in Orbit,
it turns into basically a "no-op"
but each file is still processed so you may gain some slight build-time
if you tell your build process to skip
those that are already signed by Orbit. Currently the only way to do
that is to maintain your own list to
pass to the JarProcessor (See bug