Hi.
Recently I have noticed discussion explaining how to bypass NetBeans Plugin 
Portal. The 
usual way is to create a NetBeans module extension to provide own update center 
definition and register it in NetBeans Plugin Portal. Once a user downloads 
such module, 
the provided update center gets activated and can distribute new updates or new 
modules.

Isn't this a security thread? Shouldn't we ban modules that register own update 
centers?

When we worked on designing the new update center based on Maven central 
repository, 
I wanted to benefit from the organizational structure of Maven repository:

- identity of people who publish there is known to some extent
- it is not possible to alter once published content
- there are sources next to each published module

With such constraints we can more properly verify what 3rd party NetBeans 
extensions do 
before we approve them.. With modules that bypass our Plugin Portal by 
installing their 
own catalog, we loose any control. Owners of such catalogs can publish 
anything, anytime 
to anyone and change that whenever they want. It's just a matter of time till 
somebody 
exploits that.

Shouldn't we require 3rd party modules available via the default NetBeans 
Update center 
to avoid such bypassing and always release new versions via Maven Central and 
NetBeans 
Plugin Portal?

-jt

Reply via email to