Good morning/Evening, I am late to the party and would like to add why I gave a no-go because the plugin was not signed. This from history and relates to my own published plugins in previous releases. I was given no-go because the plugin was not signed. ON re-submitting a signed(self-signed) plugin it was approved. I followed the same practice in giving your plugins a no-go with similar advice.
*Cheers* Mani/Naren/Iyer *The trick of walking on water is knowing where the stones are.* On Tue, Feb 21, 2023 at 1:58 AM Eric Bresie <ebre...@gmail.com> wrote: > Isn’t the whole reason for signed plugins to ensure they are provided by a > trusted source and not tampered with by bad actors? If no signing, does > that add a risk of possible tainted plugins with malicious intent? > > Eric > > On Mon, Feb 20, 2023 at 1:37 PM Matthias Bläsing > <mblaes...@doppel-helix.eu.invalid> wrote: > >> Hi Jiří, >> >> Am Freitag, dem 17.02.2023 um 18:49 +0100 schrieb Jiří Kovalský: >> > Anyway, I can give the context here. :) About two months ago Mani >> > (Cc:ed here) joined the team of plugin verifiers as a new volunteer and >> > during the introductory call with him we talked about whether plugins >> > should be signed. As per the Plugin Verification specification [1] the >> > installation instructions only mention: >> > >> > 1.8 If validation warning about self-signed certificate is displayed, >> > accept it by clicking Continue button. >> > >> > [1] >> > >> https://synergy.netbeans.apache.org/#/title/verification_of_apache_netbeans_plugin/ >> > >> > It says nothing about not signed plugins but we came to the conclusion >> > that if self-signed plugins are explicitly tolerated then not-signed >> one >> > should not. >> > >> > However, if you and Neil think that the signature check should be >> > excluded completely and NetBeans community supports it, let's remove >> it. >> > And even more if the whole verification process is seen as useless then >> > let's have an official community voting and then get rid of it! >> >> I have mixed feeling about this, but my surprise did not come from the >> requirement to sign the package, but from the change in policy. If the >> plugin had not been approved multiple time before, I might have just >> shrugged if off, this way it felt very irritating. >> >> Anyway, I want to focus on other things, so for now lets keep it as is. >> Seems to be working. >> >> > As an immediate fix I have changed my NoGo to Go for all your 3 plugins >> > and hereby ask Carlos/Geertjan/Mani to do the same if they agree. >> >> Thank you. >> >> Greetings >> >> Matthias >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org >> For additional commands, e-mail: dev-h...@netbeans.apache.org >> >> For further information about the NetBeans mailing lists, visit: >> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists >> >> >> >> -- > Eric Bresie > ebre...@gmail.com >
