[9] request for review 8047353: Improve error message when a JAR with invalid signatures is loaded

Vincent Ryan vincent.x.ryan at oracle.com
Fri Jun 20 12:58:00 UTC 2014


There is precedence for revealing the full pathname only when a security manager is not running.
Would that be acceptable?


On 20 Jun 2014, at 13:21, Vincent Ryan <vincent.x.ryan at oracle.com> wrote:

> Hello Aaron,
> 
> I considered using your testcase that manually generates the necessary malformed JAR
> but as there was a suitable signed JAR already in the test suite I decided to re-use that.
> 
> I think it makes sense to re-work the test as a Java program. Unfortunately I’ll be on vacation
> from today but I’ll return to this issue when I get back.
> 
> Thanks.
> 
> 
> 
> On 20 Jun 2014, at 11:00, Aaron Digulla <digulla at hepe.com> wrote:
> 
>> Am Donnerstag, 19. Juni 2014 23:49 CEST, Joe Darcy <joe.darcy at oracle.com> schrieb:
>> 
>>> I'd prefer to see the CheckJarSigError.sh as a Java program.
>> 
>> There original bug report contains a full self-contained test case in Java. Why was that split into several files?
>> 
>> I'm also a bit uneasy about the "just show the file name". I have thousands of JARs with the same name on my harddisk (several Maven repos, target folders, you name it). If you strip the path from the error message, then I have to somehow figure out the classpath which was used.
>> 
>> That might work when I run Java from the command line but when I use complex frameworks like OSGi or Maven which do all kinds of magic to determine which JARs they might want to load, then this doesn't help much.
>> 
>> 
>> At least add a command line option / system property which allows to see the full path.
>> 
>> Regards,
>> 
>> --
>> Aaron "Optimizer" Digulla a.k.a. Philmann Dark
>> "It's not the universe that's limited, it's our imagination.
>> Follow me and I'll show you something beyond the limits."
>> http://blog.pdark.de/
> 



More information about the security-dev mailing list