Re: [Jython-users] Safe Deployment

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thanks for your response, Charles.  For the systems on
our LAN your 'rsh' suggestion could work quite well.  But
most of our users are not under our direct control-- many
users are working at home.  We can, however, dictate the
runtime enviroment.

Currently we are distributing the alpha version of this app
using a cdrom/web solution.  We send a cdrom with the JRE and
Jython install files, also included is a small jython script
to download the latest jars from our server. For the java
classes, this works quite well.  But I am less satisfied
with the jython situation.

The only solution I have thought of so far is to have the
client download a signed jar and unpack it to the file system.
Then when a script is run the java framework checks the 
integrity of the script by comparing to known MD5 hashs stored
on the server. Yuck. This would be a nightmare for imports and
such.

I am resisting delivering class files created by jythonc
because it's another layer of complexity (and another source
of bugs).  Ideally a signed jar could be used as a virtual
file system by jython.  That would be sweet!

Thanks again,
  Dave

On Mon, 05 Mar 2001 15:44:02 -0700, you wrote:
> If you have progs on other machines that you want to 
> start running, without knowing the details of what
> you are doing, one way is just to "rsh" them into
> existence and have them call back (via sockets)
> to the master node/dispatching machine, which can
> be running a daemon-communications server to handle
> subsequent communications. You can mess around with
> permissions to beef up security (like setuid to 
> certain user when run).  
> 
> Charles
> 
> 
> David Huttleston Jr wrote:
> > 
> > Hey Jythoneers,
> >   I am looking for ideas to deploy a distributed
> > app in a secure fashion.  We are using jython for the
> > client gui and logic, and java for the server and
> > communication framework.
> > 
> > A few notes:
> > 1) We are free to install JDK1.3 and Jython on all
> >    clients.
> > 2) We must make sure a script can not be run if it has
> >    been modified.
> > 3) We must be able to conveniently deliver new versions
> >    over the web, but we are flexible as to how.
> > 
> > Obviously, a signed Jar is designed to solve these issues.
> > Is there a way to deploy jython programs without
> > compiling them and using a signed Jar?
> > 
> > Thanks,
> >   Dave
> > 
> > _______________________________________________
> > Jython-users mailing list
> > Jyt...@li...
> > http://lists.sourceforge.net/lists/listinfo/jython-users
> 
> _______________________________________________
> Jython-users mailing list
> Jyt...@li...
> http://lists.sourceforge.net/lists/listinfo/jython-users
> 
> 