Dain Sundstrom wrote: > Isn't there a bigger security concern here? Say some guy shows up and > says he is from organization X and wants to add the latest XSoft > application to the index.... get my point?
Regardless of where things are hosted, I think it would be nice to eventually be able to support plugins signed with X.509** certificates so that people can verify the authenticity of signed plugins and knowingly accept risk when they install an unsigned plugin. For the first release though, a warning on the plugin page ought to suffice. I think it's important to get the technology out there and start getting feedback, inspiring plugin developers, etc. Cheers, Erin **I am a fan of GPG/PGP, but it's more tedious / less useful than centralized PKI for most users who haven't established a strong web of trust.
