You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@netbeans.apache.org by Lars Bruun-Hansen <lb...@gmail.com> on 2017/10/31 10:56:04 UTC
Why are signed jars a problem?
Picking up some more modules to review and I can see some of you go to
great length to find external binary in Maven Central (or elsewhere), even
where an exact match doesn't exist. (by exact match I mean where the hash
doesn't match)
More specifically:
Some external jars in the old NetBeans build have been stripped of their
signatures. Why?
See Matthias' comment here:
https://github.com/apache/incubator-netbeans/pull/118#issuecomment-336624270
In general: How much should I try to find the external binary in some repo?
Re: Why are signed jars a problem?
Posted by Matthias Bläsing <mb...@doppel-helix.eu>.
Hi Lars,
Am Dienstag, den 31.10.2017, 13:01 +0100 schrieb Lars Bruun-Hansen:
> Well, comparing a signed jar with an unsigned jar for equality will take
> quite a bit of time. Do you have a quick way of doing that? (let me know
> :-))
> That's why I'm leaning towards not spending time on it at this stage even
> if the (presumably) equivalent signed jar can be found in Maven Central.
A tool to make this easier is diffoscope. You can use the website
https://try.diffoscope.org that offers that as hosted service.
As a sample from the commons-logging review:
This is the result for the two JARs:
https://try.diffoscope.org/zhusppsybqgu.html
Greetings
Matthias
Re: Why are signed jars a problem?
Posted by Lars Bruun-Hansen <lb...@gmail.com>.
Well, comparing a signed jar with an unsigned jar for equality will take
quite a bit of time. Do you have a quick way of doing that? (let me know
:-))
That's why I'm leaning towards not spending time on it at this stage even
if the (presumably) equivalent signed jar can be found in Maven Central.
On Tue, Oct 31, 2017 at 12:16 PM, Matthias Bläsing <
mblaesing@doppel-helix.eu> wrote:
> Hey Lars,
>
> Am Dienstag, den 31.10.2017, 11:56 +0100 schrieb Lars Bruun-Hansen:
> >
> > Some external jars in the old NetBeans build have been stripped of their
> > signatures. Why?
> >
> > See Matthias' comment here:
> > https://github.com/apache/incubator-netbeans/pull/118#
> issuecomment-336624270
> >
> > In general: How much should I try to find the external binary in some
> repo?
>
> I had some bad expiriences with BouncyCastle JARs. It turned out, that
> the jars were mixed from different versions. I'm a bit fuzzy if the
> cause were sealed packages or the signatures.
>
> As long as the signed JARs work I'm all for using them. I just pointed
> out that it could cause problems.
>
> If the signed jar is identical (apart from the signatures) or tested I
> don't see a problem switching.
>
> Greetings
>
> Matthias
>
Re: Why are signed jars a problem?
Posted by Matthias Bläsing <mb...@doppel-helix.eu>.
Hey Lars,
Am Dienstag, den 31.10.2017, 11:56 +0100 schrieb Lars Bruun-Hansen:
>
> Some external jars in the old NetBeans build have been stripped of their
> signatures. Why?
>
> See Matthias' comment here:
> https://github.com/apache/incubator-netbeans/pull/118#issuecomment-336624270
>
> In general: How much should I try to find the external binary in some repo?
I had some bad expiriences with BouncyCastle JARs. It turned out, that
the jars were mixed from different versions. I'm a bit fuzzy if the
cause were sealed packages or the signatures.
As long as the signed JARs work I'm all for using them. I just pointed
out that it could cause problems.
If the signed jar is identical (apart from the signatures) or tested I
don't see a problem switching.
Greetings
Matthias
Re: Why are signed jars a problem?
Posted by Emilian Bold <em...@protonmail.ch>.
For me this covers two aspects:
* security: it should be suspicious that the same version of a JAR has a different hash based on where we find it. That's why we should manually compare the JARs and see if it's something trivial (like, different timestamps in the JAR file) or serious (different .class files, new / missing .class files).
* stability. We are less likely to introduce regressions if we stick to the same binary. The IP clearance process is not about introducing new things and updating versions but just about deciding provenance and such. Ideally, at the end of the process we should have identical files, just cleared from a legal perspective.
--emi
>-------- Original Message --------
>Subject: Why are signed jars a problem?
>Local Time: October 31, 2017 12:56 PM
>UTC Time: October 31, 2017 10:56 AM
>From: lbruunhansen@gmail.com
>To: dev@netbeans.incubator.apache.org
>
>Picking up some more modules to review and I can see some of you go to
> great length to find external binary in Maven Central (or elsewhere), even
> where an exact match doesn't exist. (by exact match I mean where the hash
> doesn't match)
>
> More specifically:
>
> Some external jars in the old NetBeans build have been stripped of their
> signatures. Why?
>
> See Matthias' comment here:
>https://github.com/apache/incubator-netbeans/pull/118#issuecomment-336624270
>
> In general: How much should I try to find the external binary in some repo?
>
Re: Why are signed jars a problem?
Posted by Geertjan Wielenga <ge...@googlemail.com>.
The idea is to try to download JARs from Maven Central, preferably.
The way to find the correct binary is to use its hash in the advanced
search to find the exact one you need.
Gj
On Tue, Oct 31, 2017 at 11:56 AM, Lars Bruun-Hansen <lb...@gmail.com>
wrote:
> Picking up some more modules to review and I can see some of you go to
> great length to find external binary in Maven Central (or elsewhere), even
> where an exact match doesn't exist. (by exact match I mean where the hash
> doesn't match)
>
> More specifically:
>
> Some external jars in the old NetBeans build have been stripped of their
> signatures. Why?
>
> See Matthias' comment here:
> https://github.com/apache/incubator-netbeans/pull/118#
> issuecomment-336624270
>
> In general: How much should I try to find the external binary in some
> repo?
>