Sign all plugins (their jar file), to avoi

Project:JNode Core
Component:Miscellaneous
Category:feature request
Priority:normal
Assigned:Unassigned
Status:active
Description

Sign all plugins (their jar file), to avoid malicious code from entering the system.

Package Sealing

Maybe packages defined by plugin JARs should also be sealed in addition to being signed.

Sebastian

Good idea

I think that is a good idea (sealing is not yet implemented in JNode, but that can change).
However, we should discuss if this would have any negative sideeffects.

Ewout

Negative sideeffects

Yes, I also don't know the implications when using multiple custom classloaders. Maybe it is neccessary to limit package sealing to child classloaders. E.g. only throw a SecurityException when an attempt is made to load classes that are part of the sealed package using the classloader that loaded the sealed package, or one of its child classloaders.

More thought may go into this topic when this issue is processed.

Sebastian