Hi, I am just on the way learning to make a plugin available via maven central and our official update center step by step and I think it is a good compromise between security and practiability. And I like the idea that we have for all plugins the source code repository available. I do not like come in the situation that there are lots of plugins in different plugin- centers from people I do not know and I have to trust if I install the plugins.
I am also working for more than 10years on very big RCP applications based on the the netbeans platform and I think for these management of my own update centers are the better solution. best regards Oliver > Hi. > Recently I have noticed discussion explaining how to bypass NetBeans Plugin > Portal. The usual way is to create a NetBeans module extension to provide > own update center definition and register it in NetBeans Plugin Portal. > Once a user downloads such module, the provided update center gets > activated and can distribute new updates or new modules. > > Isn't this a security thread? Shouldn't we ban modules that register own > update centers? > > When we worked on designing the new update center based on Maven central > repository, I wanted to benefit from the organizational structure of Maven > repository: > > - identity of people who publish there is known to some extent > - it is not possible to alter once published content > - there are sources next to each published module > > With such constraints we can more properly verify what 3rd party NetBeans > extensions do before we approve them.. With modules that bypass our Plugin > Portal by installing their own catalog, we loose any control. Owners of > such catalogs can publish anything, anytime to anyone and change that > whenever they want. It's just a matter of time till somebody exploits that. > > Shouldn't we require 3rd party modules available via the default NetBeans > Update center to avoid such bypassing and always release new versions via > Maven Central and NetBeans Plugin Portal? > > -jt
