Hey,
I've seen some posts that say that maven central is safe because the
source is available. That seems a questionable claim. Is there any
review of the source or does anyone build their plugins from source? And
just because it works/behaves at first doesn't mean there isn't
something dangerous ticking that might bite you in the @ss after a
period of time.
The old plugin portal had a "user comments" section. Something like that
could help validate and increase the comfort level, maybe only allowing
registered users.
Further comments inline.
On 7/8/2020 8:07 AM, Karl Tauber wrote:
Hi,
> Shouldn't we require 3rd party modules available via the default
> NetBeans Update center to avoid such bypassing and always release new
> versions via Maven Central and NetBeans Plugin Portal?
There should be at least one exception from this restriction for
vendors of commercial plugins.
My company offers a commercial plugin (JFormDesigner) for NetBeans and
for us it is no option to upload our commercial plugin to Maven Central.
Not sure whether this would be even legal. Isn't Maven Central for
open source only?
I'd like to hear some clarification on this point if anyone has an
answer, definitive or otherwise. I've seen some articles that say yes
and some that say no.
Our plan is to create a small (open-source) plugin that only adds the
JFormDesigner update center to NetBeans. Then users can
download/update JFormDesigner from our site and we are not required to
upload commercial binaries to Maven Central.
Another improvement for more security would be to have a possibility
to restrict update centers to specific plugins. Then e.g. the
JFormDesigner update center would be only used/allowed to
download/update JFormDesigner plugin, but not other plugins.
I had a similar thought. Incorporate a list of plugins that can be
downloaded. And there's the idea to only allow download of stuff from
maven central. Though that might not work in your case.
All these schemes rely on some faith in the publisher. Having
restrictions and procedures (hoops to jump through) helps. Code review
and auto build from source could alleviate this, but that cost seems way
too high.
Currently it's permitted to manually add an update center. Is removing
that capability part of this discussion? Manually installing the jVi UC,
if a user wanted, might be a compromise.
BTW, jVi reads an "motd" (infrequently changing) from the net and puts
that into an output window around startup (nothing happens if the
request fails). Is that considered a security violation?
-ernie
Best regards,
Karl Tauber
--
FormDev Software GmbH
Aventinusweg 5, 85649 Brunnthal, Germany
www.formdev.com, www.jformdesigner.com
Register of companies: Amtsgericht München, HRB 164093
Managing director: Karl Tauber
On 06.07.2020 19:13, Jaroslav Tulach wrote:
Hi.
Recently I have noticed discussion explaining how to bypass NetBeans
Plugin Portal. The
usual way is to create a NetBeans module extension to provide own
update center
definition and register it in NetBeans Plugin Portal. Once a user
downloads such module,
the provided update center gets activated and can distribute new
updates or new
modules.
Isn't this a security thread? Shouldn't we ban modules that register
own update centers?
When we worked on designing the new update center based on Maven
central repository,
I wanted to benefit from the organizational structure of Maven
repository:
- identity of people who publish there is known to some extent
- it is not possible to alter once published content
- there are sources next to each published module
With such constraints we can more properly verify what 3rd party
NetBeans extensions do
before we approve them.. With modules that bypass our Plugin Portal
by installing their
own catalog, we loose any control. Owners of such catalogs can
publish anything, anytime
to anyone and change that whenever they want. It's just a matter of
time till somebody
exploits that.
Shouldn't we require 3rd party modules available via the default
NetBeans Update center
to avoid such bypassing and always release new versions via Maven
Central and NetBeans
Plugin Portal?
-jt
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
