On Sun, 13 Aug 2023 at 21:10, Matthias Bläsing <mblaes...@doppel-helix.eu.invalid> wrote: > Reasoning: > > Plugin unsigned. Please sign (self-signed is ok) and re-submit for > verification > > This was not a problem in: 11, 12, 16 and 17. > > _Nothing_ changed for these plugins and I don't see why I should was > resources in CI/CD systems and on maven central, just to "fix" > something, that was not broken for a long time.
Yes, anything that was previously verified should be allowed through unless it's actually broken. We have a limited RC window for people to test with plugins as it is. Making plugin authors jump through unnecessary hoops doesn't help there. > The requirement to sign the plugins is questionable in itself without a > trust anchor or revocation list, but I can live with with requiring > signature for updates (this will become fun, once the signature > expires, but ...) Agreed! And we have SHA in the catalog which I assume are checked?! As you've raised this before, I would suggest you just kick off a lazy consensus thread on removing the self-sign requirement. Or on the validation rules as a whole. Best wishes, Neil --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org For additional commands, e-mail: dev-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists