Since there has been no further communication on this topic, let's take
this as a lazy consensus that signatures won't be considered at all when
verifying plugins going forward. I have updated step 8 in the "Install
plugin" Synergy test accordingly:
https://synergy.netbeans.apache.org/#/case/6314/suite/2525/v/1
Anyone please speak up if you disagree.
Mani, Carlos, Geertjan - FYI
Thanks,
-Jirka
Dne 14. 08. 23 v 19:44 Neil C Smith napsal(a):
On Sun, 13 Aug 2023 at 21:10, Matthias Bläsing
<mblaes...@doppel-helix.eu.invalid> wrote:
Reasoning:
Plugin unsigned. Please sign (self-signed is ok) and re-submit for
verification
This was not a problem in: 11, 12, 16 and 17.
_Nothing_ changed for these plugins and I don't see why I should was
resources in CI/CD systems and on maven central, just to "fix"
something, that was not broken for a long time.
Yes, anything that was previously verified should be allowed through
unless it's actually broken. We have a limited RC window for people
to test with plugins as it is. Making plugin authors jump through
unnecessary hoops doesn't help there.
The requirement to sign the plugins is questionable in itself without a
trust anchor or revocation list, but I can live with with requiring
signature for updates (this will become fun, once the signature
expires, but ...)
Agreed! And we have SHA in the catalog which I assume are checked?!
As you've raised this before, I would suggest you just kick off a lazy
consensus thread on removing the self-sign requirement. Or on the
validation rules as a whole.
Best wishes,
Neil
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
