Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!weretis.net!feeder4.news.weretis.net!eternal-september.org!feeder.eternal-september.org!.POSTED!not-for-mail
From: Eric Sosman <esosman@ieee-dot-org.invalid>
Newsgroups: comp.lang.java.programmer
Subject: Re: Unsealing a jar file at runtime
Date: Mon, 01 Aug 2011 21:22:50 -0400
Organization: A noiseless patient Spider
Lines: 28
Message-ID: <j17jig$opf$1@dont-email.me>
References: <f0b4a955-9046-4f5d-9fe1-1fc8feea535d@p31g2000vbs.googlegroups.com> <slrnj32hi4.6gl.avl@gamma.logic.tuwien.ac.at> <375b1210-8410-4f56-a2a9-69d63678bd8f@dc3g2000vbb.googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 2 Aug 2011 01:23:28 +0000 (UTC)
Injection-Info: mx04.eternal-september.org; posting-host="f8igmItKsWs6nM5YanFxAA"; logging-data="25391"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1/kSXIac3Bj0SRoUb3421h1"
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20110624 Thunderbird/5.0
In-Reply-To: <375b1210-8410-4f56-a2a9-69d63678bd8f@dc3g2000vbb.googlegroups.com>
Cancel-Lock: sha1:P4z2eY9baKoK9Pr8Ksu4bgMx0Ug=
Xref: x330-a1.tempe.blueboxinc.net comp.lang.java.programmer:6727

On 8/1/2011 5:48 PM, raphfrk@gmail.com wrote:
> On Jul 28, 12:21 pm, Andreas Leitgeb<a...@gamma.logic.tuwien.ac.at>
> wrote:
>> Breaking open a seal is typically easily done.
>> Reinstating someone else's seal on the changed
>> content is "believed" to be much harder. I also
>> believe that it is, but I'm no crypto-expert.
>
> I don't want to break/remake, just wanted to extend a private class.
>
> Anyway, I guess if it was possible it would be a major hole in the
> security system.

     Yes.  Also, it's well not to think of security solely in the form
of "denial," as in "That so-and-so won't let me get at his private
class!"  Think for a moment of the so-and-so (who might as well be
you), saying "I'm sure there's a better way to do this, but I don't
have time to research/develop/debug it right now.  I'll just put the
adequate-but-not-great solution in a private class, and in Version 2.0
I'll replace it with something better.  The replacement will be nothing
like the original, but that won't hurt anybody because it's a private
class so only my own code will need to adjust."

     In other words, the security you chafe at also protects YOU.

-- 
Eric Sosman
esosman@ieee-dot-org.invalid