Re: [cross-project-issues-dev] (Mirror) security

["Thomas Watson" <tjwatson@xxxxxxxxxx>]

Yes, p2 verifies the signatures and content of the JARs to confirm it hasn't been tampered with before installing the JAR.  At runtime the verification of JARs is not enabled by default.  Otherwise what you did would have resulted in a runtime exception for the class you changed.

 

Tom
 

 

 

----- Original message -----
From: Wim Jongman <wim.jongman@xxxxxxxxx>
Sent by: cross-project-issues-dev-bounces@xxxxxxxxxxx
To: Cross project issues <cross-project-issues-dev@xxxxxxxxxxx>
Cc:
Subject: [EXTERNAL] [cross-project-issues-dev] (Mirror) security
Date: Thu, Sep 24, 2020 10:18 AM
 

Hi,

 

This is probably a silly question but I was wondering how we protect the content of jar files as they are being pulled from mirrors all over the world.

 

Due to a recent break in the Platform class, I compiled my own version of the Platform class where I re-added the removed method. Then I replaced it in the plugins/o.e.c.runtime jar using 7-zip.

 

This solved my issue but it also made me wonder how this was protected if some mirror-server user used the same hack to dope our jars.

 

I assume this is being done by p2 when downloading the jar files by comparing some MDA hash?

 

Please enlighten me.

 

Cheers,

 

Wim

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev