Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [eclipse-ide-wg] jarsigning vs jetty (and others)


Discussions at the Steering Committedd are underway.  The committee meets next Tuesday where we will get a chance to discuss the issue virtually face-to-face...

Could I ask a favor that you outline (briefly summarize) the specifics of your PGP proposal?


On 13.08.2021 16:35, Mickael Istria wrote:
Hi all,

I'm asking here since as far as I understand, the WG now owns SimRel and has become the entity that can decide of its requirements. Please correct me if I'm wrong.

We are facing a big issue these days: it becomes impossible to keep up-to-date with some upstream deps beause of the jarsigning requirement.
One example is Jetty: Platform needs to frequently update to newer Jetty, because of CVEs (CVEs are considered as important by Platform project), but upgrading to newer Jetty requires a *lot* of effort because Jetty doesn't use jarsigning so Platform has to maintain a site of Jetty artifacts that are jarsigned just to be compatible with SimRel. This effort has been growing and required more frequently, it doesn't scale, waste manpower that would be better spent on features or UX or other performance optimizations.
So we'd really like to see this requirement moving away. On this direction, we have prepared some initial work allowing to store PGP signatures in p2 metadata.

However, this technical achievement doesn't answer the one and only question that would allow to kiss jarsigner requirement goodbye: what is the security we want for SimRel? What kind of verifications do we want to be able to do?

Thanks in advance for your insights
Mickael Istria
Eclipse IDE developer, for Red Hat Developers

eclipse-ide-wg mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit

Back to the top