ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button
  Why I Stopped Coding and Why I'd Start Again
Subject:   security problem
Date:   2007-01-20 03:53:37
From:   tbuitenh
Response to: In the language or in the file-system?

I was thinking the same, and there is a filesystem that does this, see zero-install.sourceforge.net . The problem is that it can be difficult to put checksums in a path. Without checksums, a malicious developer might replace a library developed by him by something else, and the system won't notice. Sticking PGP signatures to everything, like zeroinstall does, doesn't help, because you want the developer who typed the "include" to do the signing or checksum, not the one who wrote the library.

... I started writing out all the possible path rules that wouldn't work, but found one that does ...: