Hi, > Shouldn't we require 3rd party modules available via the default > NetBeans Update center to avoid such bypassing and always release new > versions via Maven Central and NetBeans Plugin Portal?
There should be at least one exception from this restriction for vendors of commercial plugins.
My company offers a commercial plugin (JFormDesigner) for NetBeans and for us it is no option to upload our commercial plugin to Maven Central. Not sure whether this would be even legal. Isn't Maven Central for open source only?
Our plan is to create a small (open-source) plugin that only adds the JFormDesigner update center to NetBeans. Then users can download/update JFormDesigner from our site and we are not required to upload commercial binaries to Maven Central.
Another improvement for more security would be to have a possibility to restrict update centers to specific plugins. Then e.g. the JFormDesigner update center would be only used/allowed to download/update JFormDesigner plugin, but not other plugins.
Best regards, Karl Tauber -- FormDev Software GmbH Aventinusweg 5, 85649 Brunnthal, Germany www.formdev.com, www.jformdesigner.com Register of companies: Amtsgericht München, HRB 164093 Managing director: Karl Tauber On 06.07.2020 19:13, Jaroslav Tulach wrote:
Hi. Recently I have noticed discussion explaining how to bypass NetBeans Plugin Portal. The usual way is to create a NetBeans module extension to provide own update center definition and register it in NetBeans Plugin Portal. Once a user downloads such module, the provided update center gets activated and can distribute new updates or new modules. Isn't this a security thread? Shouldn't we ban modules that register own update centers? When we worked on designing the new update center based on Maven central repository, I wanted to benefit from the organizational structure of Maven repository: - identity of people who publish there is known to some extent - it is not possible to alter once published content - there are sources next to each published module With such constraints we can more properly verify what 3rd party NetBeans extensions do before we approve them.. With modules that bypass our Plugin Portal by installing their own catalog, we loose any control. Owners of such catalogs can publish anything, anytime to anyone and change that whenever they want. It's just a matter of time till somebody exploits that. Shouldn't we require 3rd party modules available via the default NetBeans Update center to avoid such bypassing and always release new versions via Maven Central and NetBeans Plugin Portal? -jt
--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org For additional commands, e-mail: dev-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
