Re: Plugin Verifikation Plugins Portal (changing rules)

[Neil C Smith]

On Sun, 13 Aug 2023 at 21:10, Matthias Bläsing
 wrote:
> Reasoning:
>
>Plugin unsigned. Please sign (self-signed is ok) and re-submit for
>verification
>
> This was not a problem in: 11, 12, 16 and 17.
>
> _Nothing_ changed for these plugins and I don't see why I should was
> resources in CI/CD systems and on maven central, just to "fix"
> something, that was not broken for a long time.

Yes, anything that was previously verified should be allowed through
unless it's actually broken.  We have a limited RC window for people
to test with plugins as it is.  Making plugin authors jump through
unnecessary hoops doesn't help there.

> The requirement to sign the plugins is questionable in itself without a
> trust anchor or revocation list, but I can live with with requiring
> signature for updates (this will become fun, once the signature
> expires, but ...)

Agreed!  And we have SHA in the catalog which I assume are checked?!

As you've raised this before, I would suggest you just kick off a lazy
consensus thread on removing the self-sign requirement.  Or on the
validation rules as a whole.

Best wishes,

Neil

-
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Re: Plugin Verifikation Plugins Portal (changing rules)

[Ernie Rael]

> The requirement to sign the plugins is questionable in itself

Especially considering that it's in maven central.

-ernie

On 23/08/13 1:10 PM, Matthias Bläsing wrote:

Hi again,

I just noticed, that the LDIF Editor and LDAP Explorer plugins were
rejected for the plugin portal for 19.

Reasoning:

Plugin unsigned. Please sign (self-signed is ok) and re-submit for
verification

This was not a problem in: 11, 12, 16 and 17.


_Nothing_ changed for these plugins and I don't see why I should was
resources in CI/CD systems and on maven central, just to "fix"
something, that was not broken for a long time.

The requirement to sign the plugins is questionable in itself without a
trust anchor or revocation list, but I can live with with requiring
signature for updates (this will become fun, once the signature
expires, but ...), but this is not the case here. For the PlantUML
Plugin I created a signed build, because the package changed and so it
was worth spending the bandwith and space and time.

Would be nice, if you could take back the reject and get this approved.

Thank you

Matthias

-
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists






-
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists