Re: hosting jnlp signed Java3D jars
Posted by Sven Gothel on Oct 08, 2013; 11:29am
URL: https://forum.jogamp.org/hosting-jnlp-signed-Java3D-jars-tp4030195p4030203.html
On 10/08/2013 10:49 AM, gouessej [via jogamp] wrote:
> Hi
>
> I see what you mean, you'd like to use Java3D as an extension and then you
> need us to provide a JNLP file pointing to Java3D JARs signed with our trusted
> certificate.
Technically it should not be necessary to sign our 'Java3D' builds,
since they use only JOGL and shall not perform any operations requiring
elevated privileges.
However - due to the latest Oracle developments regarding JNLP/Applet
[in]security - requiring the user code to be signed
and hence all consequent JARs to be signed as well - this may be different.
I haven't investigated this 'mixed JAR signing and non JAR signing' yet
in detail. But it could be that it forces us to sign the 'Java3D' JARs as well.
In general I have nothing against this idea, _if_ above situation is clarified
and Harvey agrees and provides a 'good build' to be signed with the upcoming 2.1.0 release.
>
> Personally, I would prefer waiting for some time until Java3D 1.6 becomes
> fully stable (especially under Mac OS X) to provide signed builds.
We will be most stable regarding JOGL's OSX CALayer usage for 2.1.0,
as we have solved most issues already.
> You can
> write a request for enhancement (bug report) about that.
I second that. Pls assign it to Harvey Harrison and CC Julien and myself.
>
> Your suggestion is interesting and would ease the deployment of Java3D
> applications but we'll have to fix some "legal" issues. For example, I'm not
> sure that the JogAmp Foundation is allowed to use the name "Java3D".
Me neither .. Harvey may has some insight.
But we can call it whatever Harvey likes it to be called - personally I don't care.
>
> Providing a JNLP extension for 3D engines in Java is not something obvious and
> common. For example, as far as I know, Ardor3D, JMonkeyEngine and Xith3D don't
> do it, they provide no signed JARs because its maintainers consider that it's
> the responsibility of the developer(s) to sign their whole applications with
> their own certificate(s). Moreover, signing JARs by yourself gives you a
> greater control. I used JOGL 1 as an extension for years and I stopped doing
> it several years ago to reduce the downloading time (pack2000 was rather a
> source of trouble in my case).
I guess that would be possible as well, reflecting above mentioned situation
w/ JAR signing. I.e. a user can sign 'Java3D' themselves w/ their user application
as Julien suggests.
>
> You remind me that I should explain a bit more how to use Java Web Start to
> deploy Java3D applications in my tutorial.
Great stuff.
Cheers, Sven
URL: https://forum.jogamp.org/hosting-jnlp-signed-Java3D-jars-tp4030195p4030203.html
On 10/08/2013 10:49 AM, gouessej [via jogamp] wrote:
> Hi
>
> I see what you mean, you'd like to use Java3D as an extension and then you
> need us to provide a JNLP file pointing to Java3D JARs signed with our trusted
> certificate.
Technically it should not be necessary to sign our 'Java3D' builds,
since they use only JOGL and shall not perform any operations requiring
elevated privileges.
However - due to the latest Oracle developments regarding JNLP/Applet
[in]security - requiring the user code to be signed
and hence all consequent JARs to be signed as well - this may be different.
I haven't investigated this 'mixed JAR signing and non JAR signing' yet
in detail. But it could be that it forces us to sign the 'Java3D' JARs as well.
In general I have nothing against this idea, _if_ above situation is clarified
and Harvey agrees and provides a 'good build' to be signed with the upcoming 2.1.0 release.
>
> Personally, I would prefer waiting for some time until Java3D 1.6 becomes
> fully stable (especially under Mac OS X) to provide signed builds.
We will be most stable regarding JOGL's OSX CALayer usage for 2.1.0,
as we have solved most issues already.
> You can
> write a request for enhancement (bug report) about that.
I second that. Pls assign it to Harvey Harrison and CC Julien and myself.
>
> Your suggestion is interesting and would ease the deployment of Java3D
> applications but we'll have to fix some "legal" issues. For example, I'm not
> sure that the JogAmp Foundation is allowed to use the name "Java3D".
Me neither .. Harvey may has some insight.
But we can call it whatever Harvey likes it to be called - personally I don't care.
>
> Providing a JNLP extension for 3D engines in Java is not something obvious and
> common. For example, as far as I know, Ardor3D, JMonkeyEngine and Xith3D don't
> do it, they provide no signed JARs because its maintainers consider that it's
> the responsibility of the developer(s) to sign their whole applications with
> their own certificate(s). Moreover, signing JARs by yourself gives you a
> greater control. I used JOGL 1 as an extension for years and I stopped doing
> it several years ago to reduce the downloading time (pack2000 was rather a
> source of trouble in my case).
I guess that would be possible as well, reflecting above mentioned situation
w/ JAR signing. I.e. a user can sign 'Java3D' themselves w/ their user application
as Julien suggests.
>
> You remind me that I should explain a bit more how to use Java Web Start to
> deploy Java3D applications in my tutorial.
Great stuff.
Cheers, Sven
signature.asc (911 bytes) | Free forum by Nabble | Edit this page |