[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
| Re: [cross-project-issues-dev] (Mirror) security | 
  
  
    So it's possible for another process to
        tamper with jars and have Eclipse run them blindly.
    Do we know if that is industry practice?
      
    
      
    
    
    On 2020-09-24 12:07 p.m., Thomas Watson
      wrote:
    
    
      
      
        Yes, p2 verifies the signatures and content of
          the JARs to confirm it hasn't been tampered with before
          installing the JAR.  At runtime the verification of JARs is
          not enabled by default.  Otherwise what you did would have
          resulted in a runtime exception for the class you changed.
         
        
          Tom
           
         
         
        -----
          Original message -----
          From: Wim Jongman <wim.jongman@xxxxxxxxx>
          Sent by: cross-project-issues-dev-bounces@xxxxxxxxxxx
          To: Cross project issues
          <cross-project-issues-dev@xxxxxxxxxxx>
          Cc:
          Subject: [EXTERNAL] [cross-project-issues-dev] (Mirror)
          security
          Date: Thu, Sep 24, 2020 10:18 AM
           
          
          
          
          
          
          
          
          
          
            Hi,
             
            This is probably a silly question but I was wondering
              how we protect the content of jar files as they are being
              pulled from mirrors all over the world.
             
            Due to a recent break in the Platform class, I compiled
              my own version of the Platform class where I re-added the
              removed method. Then I replaced it in the
              plugins/o.e.c.runtime jar using 7-zip.
             
            This solved my issue but it also made me wonder how
              this was protected if some mirror-server user used the
              same hack to dope our jars.
             
            I assume this is being done by p2 when downloading the
              jar files by comparing some MDA hash?
             
            Please enlighten me.
             
            Cheers,
             
            Wim
           
          
        
         
       
      
      
      
      _______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
    
    -- 
      Denis Roy
      Director, IT Services | Eclipse Foundation, Inc.
      Eclipse Foundation: The Platform for Open Innovation and Collaboration
      Twitter: @droy_eclipse