Re: Bypassing NetBeans Plugin Portal

Wed, 08 Jul 2020 21:00:57 -0700 

On 7/8/2020 6:48 PM, Tim Boudreau wrote:

Isn’t that security threat the reason JAR signing was invented?


I've heard that all, or almost all, plugin portal nbm's are self-signed.

How does that affect the security implications?


I've also heard that PP3 doesn't require jar signing; see 
https://issues.apache.org/jira/browse/NETBEANS-2331


-ernie



-Tim

On Mon, Jul 6, 2020 at 1:12 PM Jaroslav Tulach <jaroslav.tul...@gmail.com>
wrote:


Hi.
Recently I have noticed discussion explaining how to bypass NetBeans
Plugin Portal. The
usual way is to create a NetBeans module extension to provide own update
center
definition and register it in NetBeans Plugin Portal. Once a user
downloads such module,
the provided update center gets activated and can distribute new updates
or new
modules.

Isn't this a security thread? Shouldn't we ban modules that register own
update centers?

When we worked on designing the new update center based on Maven central
repository,
I wanted to benefit from the organizational structure of Maven repository:

- identity of people who publish there is known to some extent
- it is not possible to alter once published content
- there are sources next to each published module

With such constraints we can more properly verify what 3rd party NetBeans
extensions do
before we approve them.. With modules that bypass our Plugin Portal by
installing their
own catalog, we loose any control. Owners of such catalogs can publish
anything, anytime
to anyone and change that whenever they want. It's just a matter of time
till somebody
exploits that.

Shouldn't we require 3rd party modules available via the default NetBeans
Update center
to avoid such bypassing and always release new versions via Maven Central
and NetBeans
Plugin Portal?

-jt

--

http://timboudreau.com




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists


























					Reply via email to