[Gcjwebplugin-devel] call for cooperation: signed jars

[Philippe Laporte]

Hi,



Casey Marshall wrote:

> On Mar 9, 2006, at 1:35 PM, Philippe Laporte wrote:
>
> > Casey Marshall wrote:
> >
> > > On Mar 9, 2006, at 8:54 AM, Philippe Laporte wrote:
> > >
> > > > Does this library have (ie is in a perfect state) all the  
> > > > security  and signing stuff that classpath lacks right now? How  
> > > > about the  security audit?
> > >
> > > I don't understand (and have been largely ignoring this thread, so  
> > > I  may have missed some context).
> >
> >
> >
> > Unfortunate. Despite some people think I'm ugly, you'll come to  like 
> > me with time...give me a chance
>
> Not you in particular; I saw "sablevm" and "license" and that  
> discussion is always pointless.


[you may skip this if you are from gcjwebplugin only]


I spoke with Peter Mehlitz yesterday. He says it's been going since 
there was ever Java.

I think you guys are wrong in thinking it is pointless.

I will repeat myself as much as needed: when Nokia comes around they 
will want a clear story. I have sent the issue to the FSF. Please use 
any influcen you have to make Open Source Java great!

Now for the VM question. I would very much like, and Peter seemingly 
agrees (now please don't go shooting at him here. He didn't agree to me 
citing him. I didn't ask. But I think this is fine. I think you all 
respect him to some extent), to see the number of Open Source VMs around 
decrease to around 5-6.

What is the leading CLDC open-source VM where one can add proprietary 
software, link in extra code in whatever way he pleases, pay his hommage 
to the VM gods (loads of money also helps), and all happening harmoniously?

And then the guy can sell the result to other big guys...

What is wrong with that? Free software means the Freedom to not start 
from scratch when you change workplaces. The rest is all political.

I propose that you look carefully into the Maemo/Nokia way of Open Source.

Now, as to the appropriateness of this topic in this list. I think it is 
paying serious hommage to Classpath to talk about this here.

I got a small pledge down below, and now I'll follow Etienne's advice, 
which is to take a break.

> > > What do you think is missing from  Classpath's security  
> > > infrastructure?
> >
> >
> >
> > support for signed jars, I was told
>
> Nope. Classpath has had support for *verifying* signed jar files for  
> some time now; we do currently lack support for *creating* signed jar  
> files (i.e., we don't have a replacement for `jarsigner' yet) but I  
> think Raif said he would look into that.
>
> I kinda doubt Harmony has a `jarsigner' yet, unless they were able to  
> panhandle one from IBM or Intel.


Good. Now we need verification in Knopflerfish R4 and it is not yet 
implemented. Is someone willing to join forces to implement it both in 
KF and in GCJWebplugin?

Off for the weekend,
Philippe