directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Seelmann (Jira)" <>
Subject [jira] [Closed] (DIRSTUDIO-741) Update site has self-signed cert that expired months before the 1.5.3 release
Date Sun, 10 May 2020 08:09:00 GMT


Stefan Seelmann closed DIRSTUDIO-741.
    Resolution: Fixed

The build process changed completely and the Eclipse artifacts and update site are no longer
If signing will happen in future can be tracked in

> Update site has self-signed cert that expired months before the 1.5.3 release
> -----------------------------------------------------------------------------
>                 Key: DIRSTUDIO-741
>                 URL:
>             Project: Directory Studio
>          Issue Type: Bug
>          Components: studio-updatesite
>    Affects Versions: 1.5.3
>            Reporter: Jimmy Kaplowitz
>            Assignee: Pierre-Arnaud Marcelot
>            Priority: Major
>              Labels: security
>             Fix For: 2.0.0
>   Original Estimate: 2h
>  Remaining Estimate: 2h
> Hi,
> I was just trying to install Apache Directory Studio 1.5.3 from within Eclipse 3.7. It's
saying that the certificate signing the software (or maybe the update site) is both self-signed
and expired in January 2010. This is a bit more worrying than even having no certificate,
since the 1.5.3 release is from April 2010, and I'm kind of puzzled that it was signed with
a certificate that was already several months out of date when the release was made, in addition
to being self-signed. I'm also trying this more than a year after the 1.5.3 release occurred,
so the fact that the situation remains as I've described is quite worrying from the perspective
of having security issues noticed and addressed in a timely fashion.
> There are many valid ways to handle the issue of code signing, including deciding that
it's not useful security to do it at all, making an Apache-specific certificate authority,
or paying for a commercial certificate as is done for the * HTTPS web sites. The
current situation with the Eclipse update site encourages false guarantees of security and,
if Apache's users are taught to ignore such warnings, exposes them to man-in-the-middle or
other malicious attacks when they think they are being protected by the security reputation
of the Apache Software Foundation.
> The time estimate I have given is assuming you decide to generate some new certificate
by whatever commercial or non-commercial method, and may include the time to deal with a vendor
and/or rebuild the software. If you simply decide to switch your repository to unsigned, my
estimate will probably be too large.

This message was sent by Atlassian Jira

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message