FroMage
commented
10 years ago I think we also need a way to tell tools to only work with HTTPS connections and allow signed modules. Any unsigned module or HTTP lookup would then be disallowed.
Open tombentley opened 11 years ago
FroMage
commented
10 years ago I think we also need a way to tell tools to only work with HTTPS connections and allow signed modules. Any unsigned module or HTTP lookup would then be disallowed.
gavinking
commented
10 years ago Well first we should make the compiler sign jars. (i.e. call out to jarsigner.)
We need some integration between CMR and running the JVM under a security policy (basically make it easy to run in a sandbox where we trust code loaded from any of the configured repositories, whether it's signed or not).
(This may really be a ceylon-runtime issue)
ceylon/ceylon-compiler#1044