Hi all, How are we doing in this discussion, at least, what can we do to release the fix to the nb-javac which, without it, will otherwise cause refactoring to fail if nb-javac is installed?
Gj On Sun, Oct 27, 2019 at 12:19 PM Jan Lahoda <lah...@gmail.com> wrote: > On Fri, Oct 25, 2019 at 1:04 PM Neil C Smith <neilcsm...@apache.org> > wrote: > > > On Thu, 24 Oct 2019 at 21:17, Jan Lahoda <lah...@gmail.com> wrote: > > >> Still unsure about how we handle catalog and signing issues though. > > >> Am I right in thinking with current situation people will see a > > >> warning on update? Definitely see this already when re-enabling > > >> nb-javac. > > > > > > That is one of the things I'd like to try. The update will be a two > > phase process - first update the nb/updatecenters module, and then > > nb-javac. I *think* there should be no warning for the second update > > (because the NBM is signed using the key that is embedded in the > > updatecenters module), but I am less sure about how exactly the first > > update will work. > > > > I'm fairly sure the first update at least will show a warning. > > Installing other nbms from the distribution UC does now. > > > > Yes, i am afraid so, unless we find a way to sensibly sign the NBMs. > > There is this (which is probably what Reema shared): > https://blogs.apache.org/infra/entry/code_signing_service_now_available > > But I have no idea if we asked to an access there. (And if ASF would pay > for each signed file, then singing several hundreds NBMs would not fly > anyway, I think.) But we could at least use that for this update release > (which will likely only consist of a handful of NBMs), and try to do > something better for the future. > > But the second update should be without warning, if the NBMs is done > properly. > > > > Check the link Reema shared that I posted earlier. We might be able > > to use that, in the short term manually signing the relevant updates > > via the web interface? Except that shows a browser security error for > > me. And also specifies .jar extension. > > > > What other options are there? Is there any *secure* way that we can > > add trust in the IDE for modules built on ASF infrastructure? If I > > understand it correctly, the current way the third-party UC does this > > will only work for a single build? > > > > I wonder if we could validate the GPG signatures (.asc) we need to use > anyway - the IDE could then have a list of "trusted" KEYs. > > Jan > > > > Best wishes, > > > > Neil > > >