Sign all plugins (their jar file), to avoi
Project: | JNode Core |
Component: | Miscellaneous |
Category: | feature request |
Priority: | normal |
Assigned: | Unassigned |
Status: | active |
Description
Sign all plugins (their jar file), to avoid malicious code from entering the system.
- Login to post comments
Package Sealing
Maybe packages defined by plugin JARs should also be sealed in addition to being signed.
Sebastian
Good idea
I think that is a good idea (sealing is not yet implemented in JNode, but that can change).
However, we should discuss if this would have any negative sideeffects.
Ewout
Negative sideeffects
Yes, I also don't know the implications when using multiple custom classloaders. Maybe it is neccessary to limit package sealing to child classloaders. E.g. only throw a SecurityException when an attempt is made to load classes that are part of the sealed package using the classloader that loaded the sealed package, or one of its child classloaders.
More thought may go into this topic when this issue is processed.
Sebastian