[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [cross-project-issues-dev] (Mirror) security
|
Wim,
This is one of the reasons why jars must be signed. If they are
tampered, the signature is broken. So this is certification of
origin. Also, as you assume, the artifact metadata includes
various check sums to verify download integrity:
<artifact classifier='osgi.bundle'
id='org.eclipse.justj.openjdk.hotspot.jre.minimal.stripped.win32.x86_64'
version='11.0.2.v20200815-0835'>
<properties size='8'>
<property name='artifact.size' value='29915455'/>
<property name='download.size' value='29915455'/>
<property name='maven-groupId'
value='org.eclipse.justj'/>
<property name='maven-artifactId'
value='org.eclipse.justj.openjdk.hotspot.jre.minimal.stripped.win32.x86_64'/>
<property name='maven-version'
value='11.0.2-SNAPSHOT'/>
<property name='download.md5'
value='9a630304c4bcfb5c13f8f62beb62426e'/>
<property name='download.checksum.md5'
value='9a630304c4bcfb5c13f8f62beb62426e'/>
<property name='download.checksum.sha-256'
value='8741ab9d23a8152b42647cea844bf67689bf3781ae46fcb670d0e4279d6b4bc6'/>
</properties>
</artifact>
Regards,
Ed
On 24.09.2020 17:17, Wim Jongman wrote:
Hi,
This is probably a silly question but I was wondering how
we protect the content of jar files as they are being pulled
from mirrors all over the world.
Due to a recent break in the Platform class, I compiled my
own version of the Platform class where I re-added the removed
method. Then I replaced it in the plugins/o.e.c.runtime jar
using 7-zip.
This solved my issue but it also made me wonder how this
was protected if some mirror-server user used the same hack to
dope our jars.
I assume this is being done by p2 when downloading the jar
files by comparing some MDA hash?
Please enlighten me.
Cheers,
Wim
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev