Isn’t the whole reason for signed plugins to ensure they are provided by a trusted source and not tampered with by bad actors? If no signing, does that add a risk of possible tainted plugins with malicious intent?
Eric On Mon, Feb 20, 2023 at 1:37 PM Matthias Bläsing <mblaes...@doppel-helix.eu.invalid> wrote: > Hi Jiří, > > Am Freitag, dem 17.02.2023 um 18:49 +0100 schrieb Jiří Kovalský: > > Anyway, I can give the context here. :) About two months ago Mani > > (Cc:ed here) joined the team of plugin verifiers as a new volunteer and > > during the introductory call with him we talked about whether plugins > > should be signed. As per the Plugin Verification specification [1] the > > installation instructions only mention: > > > > 1.8 If validation warning about self-signed certificate is displayed, > > accept it by clicking Continue button. > > > > [1] > > > https://synergy.netbeans.apache.org/#/title/verification_of_apache_netbeans_plugin/ > > > > It says nothing about not signed plugins but we came to the conclusion > > that if self-signed plugins are explicitly tolerated then not-signed one > > should not. > > > > However, if you and Neil think that the signature check should be > > excluded completely and NetBeans community supports it, let's remove it. > > And even more if the whole verification process is seen as useless then > > let's have an official community voting and then get rid of it! > > I have mixed feeling about this, but my surprise did not come from the > requirement to sign the package, but from the change in policy. If the > plugin had not been approved multiple time before, I might have just > shrugged if off, this way it felt very irritating. > > Anyway, I want to focus on other things, so for now lets keep it as is. > Seems to be working. > > > As an immediate fix I have changed my NoGo to Go for all your 3 plugins > > and hereby ask Carlos/Geertjan/Mani to do the same if they agree. > > Thank you. > > Greetings > > Matthias > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org > For additional commands, e-mail: dev-h...@netbeans.apache.org > > For further information about the NetBeans mailing lists, visit: > https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists > > > > -- Eric Bresie ebre...@gmail.com
