Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [] Is jar signing mandatory?

> On Mar 18, 2020, at 08:10, Mickael Istria <mistria@xxxxxxxxxx> wrote:
> I don't think most consumers really expect jars to be signed. I think those consumers basically trust the source, ie if the jar comes from servers or services, then it's enough authenticity for them

You realise this is a false claim because we heavily rely on a mirror infrastructure for distribution?

> . I looked at some other popular projects (Maven, JUnit, slf4j...) and none has signed jars, but that doesn't prevent their adoption.

Is is true and yet this is only successfully because they rely on Maven Central for distribution, which runs on a combination of fingerprints, secure transport and rigorous upload/promotion process.

You need to reflect on risk and impact. If JUnit is affected - it's just JUnit. If any Eclipse project is affected - it's all Eclipse projects. That's why Maven Central has this strict upload/promotion/verification process - if Maven Central is affected oh well...

> And in case user have doubts, they can still check (with build information like originating commit, and comparing some "official" project output) that their jar actually comes from Eclipse Foundation servers.

Ignoring the false origin claim as already discussed above: Do you really believe all users of any Eclipse project (every single one) will be able to come up with the described steps and perform them manually? Sometimes even I struggle with how Eclipse works [1]. I wouldn't want every single user to deal with the complexity of figuring out whether a jar of the embedded help center Jetty was tampered with or an image in the about dialog to inject a key logger or some other backdoor into their system.



Gunnar Wagenknecht

Back to the top