Kev Jackson schrieb:
I don't think that this is the major problem. It's very very very unlikely that anyone would want to tamper with Ant (why bother, a user can always get teh source and build themselves?). The problem is that when using Ant to build new code (and to generate a checksum for that distribution), now you as the developer of new-shiny-applictaion have to decide whether anyone is going to take the time to create a fake version of your app.
Corruption of the new App isn't necessarily the intention of a potential attacker. It's far more interesting,
to intercept passwords passed into ftp, ssh, or scp tasks, spying into the file system accessible
to the ant installation, or even to install malware.
This said, our options to prevent this are very limited, and depend heavily on the
cooperation of ANT users. Or did you ever knew somebody, who checked the
checksums of an ANT distribution contained as convienance in an other system
(e.g. netbeans, or weblogic)?
Thomas
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
