Hey,
as far as I can remember, signed plugins are shown in the plugin manager
of NetBeans itself. This was the point under oracle. Dunno whether this
changed or not.
Cheers
Chris
Am 20.02.2023 um 21:28 schrieb Eric Bresie:
Isn’t the whole reason for signed plugins to ensure they are provided by a
trusted source and not tampered with by bad actors? If no signing, does
that add a risk of possible tainted plugins with malicious intent?
Eric
On Mon, Feb 20, 2023 at 1:37 PM Matthias Bläsing
<mblaes...@doppel-helix.eu.invalid> wrote:
Hi Jiří,
Am Freitag, dem 17.02.2023 um 18:49 +0100 schrieb Jiří Kovalský:
Anyway, I can give the context here. :) About two months ago Mani
(Cc:ed here) joined the team of plugin verifiers as a new volunteer and
during the introductory call with him we talked about whether plugins
should be signed. As per the Plugin Verification specification [1] the
installation instructions only mention:
1.8 If validation warning about self-signed certificate is displayed,
accept it by clicking Continue button.
[1]
https://synergy.netbeans.apache.org/#/title/verification_of_apache_netbeans_plugin/
It says nothing about not signed plugins but we came to the conclusion
that if self-signed plugins are explicitly tolerated then not-signed one
should not.
However, if you and Neil think that the signature check should be
excluded completely and NetBeans community supports it, let's remove it.
And even more if the whole verification process is seen as useless then
let's have an official community voting and then get rid of it!
I have mixed feeling about this, but my surprise did not come from the
requirement to sign the package, but from the change in policy. If the
plugin had not been approved multiple time before, I might have just
shrugged if off, this way it felt very irritating.
Anyway, I want to focus on other things, so for now lets keep it as is.
Seems to be working.
As an immediate fix I have changed my NoGo to Go for all your 3 plugins
and hereby ask Carlos/Geertjan/Mani to do the same if they agree.
Thank you.
Greetings
Matthias
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
--
Eric Bresie
ebre...@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
