[Smartfrog-checkins] [Smartfrog.org-JIRA] Commented: (SFOS-879) Security: remove signedLib; all the JARs in lib/ are to be signed instead

[Steve L. (JIRA) <ji...@sm...>]

    [ http://jira.smartfrog.org/jira/browse/SFOS-879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=11290#action_11290 ] 

Steve Loughran commented on SFOS-879:
-------------------------------------

the final solution proposed for this is as follows

* unsecure distributions remain as is
* secure distributions use a symbolic link

This means that you cannot upgrade to a secure distribution; you need to uninstall and reinstall. but it stops you accidentally mixing the two.

> Security: remove signedLib; all the JARs in lib/ are to be signed instead
> -------------------------------------------------------------------------
>
>                 Key: SFOS-879
>                 URL: http://jira.smartfrog.org/jira/browse/SFOS-879
>             Project: SmartFrog
>          Issue Type: Improvement
>          Components: .sfCore
>    Affects Versions: 3.12.040
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>
> I'm proposing this as an alternative to the current approach of having a separate lib of signed JARs. 
> There are advantages/disadvantages
> signed JARS in lib/ : no need for separate path setup in secure mode, documentation simpler; everything that grabs the classpath works, and no way to start SF with unsigned JARs
> signed JARs in signedLib/ : makes the RPM creation of signed libs very complex
> Proposed:
> -signing updates the JARs in Situ
> -all scripts remove references to signedLib
> -docs are updated
> -everything gets tested thoroughly

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.smartfrog.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira