Isn’t that security threat the reason JAR signing was invented? -Tim
On Mon, Jul 6, 2020 at 1:12 PM Jaroslav Tulach <[email protected]> wrote: > Hi. > Recently I have noticed discussion explaining how to bypass NetBeans > Plugin Portal. The > usual way is to create a NetBeans module extension to provide own update > center > definition and register it in NetBeans Plugin Portal. Once a user > downloads such module, > the provided update center gets activated and can distribute new updates > or new > modules. > > Isn't this a security thread? Shouldn't we ban modules that register own > update centers? > > When we worked on designing the new update center based on Maven central > repository, > I wanted to benefit from the organizational structure of Maven repository: > > - identity of people who publish there is known to some extent > - it is not possible to alter once published content > - there are sources next to each published module > > With such constraints we can more properly verify what 3rd party NetBeans > extensions do > before we approve them.. With modules that bypass our Plugin Portal by > installing their > own catalog, we loose any control. Owners of such catalogs can publish > anything, anytime > to anyone and change that whenever they want. It's just a matter of time > till somebody > exploits that. > > Shouldn't we require 3rd party modules available via the default NetBeans > Update center > to avoid such bypassing and always release new versions via Maven Central > and NetBeans > Plugin Portal? > > -jt > > -- http://timboudreau.com
