Hi Matthias,
first of all sorry for not reacting to your question sooner but I
was busy lately so I didn't check the list and the direct message for
some reason didn't end up in the Inbox too. :(
Anyway, I can give the context here. :) About two months ago Mani
(Cc:ed here) joined the team of plugin verifiers as a new volunteer and
during the introductory call with him we talked about whether plugins
should be signed. As per the Plugin Verification specification [1] the
installation instructions only mention:
1.8 If validation warning about self-signed certificate is displayed,
accept it by clicking Continue button.
[1]
https://synergy.netbeans.apache.org/#/title/verification_of_apache_netbeans_plugin/
It says nothing about not signed plugins but we came to the conclusion
that if self-signed plugins are explicitly tolerated then not-signed one
should not.
However, if you and Neil think that the signature check should be
excluded completely and NetBeans community supports it, let's remove it.
And even more if the whole verification process is seen as useless then
let's have an official community voting and then get rid of it!
As an immediate fix I have changed my NoGo to Go for all your 3 plugins
and hereby ask Carlos/Geertjan/Mani to do the same if they agree.
Hope this helps,
-Jirka
Dne 16. 02. 23 v 19:46 Matthias Bläsing napsal(a):
Hi again,
this is getting ridiculous. There are zero replies here (apart from
telling me things I already now) and no verifiers reacts.
I'm currently thinking, that we need a different approach to the Plugin
Portal, as there is zero communication. This is the place authors are
pointed and here they don't get an anwser.
There is still no statement why my plugins suddenly get rejected,
although they were fine for multiple releases.
Greetings
Matthias
Am Montag, dem 30.01.2023 um 19:03 +0100 schrieb Matthias Bläsing:
Hi,
I asked for reverification of three plugins. These plugins:
- PlantUML-NB
- LDIF Editor
- LDAP Explorer
are verified for NB 11.0/12.0 till NB 16 version. Nothing was changed
on the plugins for 17 and now the plugins are not good enough anymore.
So what is going on?
They are rejected, because they are not signed, fine, but then why is
that an issue? The signatures gain you nothing as there is no trust
anchor, we don't distribute blocked author certificates and the
download from plugin portal is protected by the checksums.
This is bogus, so what changed and why was this not communicated? I
assume, that I was not the only one suprised by this. What is more, I'd
need to do a full release cycle without any code changes, without any
benefit.
Greetings
Matthias
PS: Jiří I added you to direct CC as I'm not sure how closely you
monitor dev@
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://urldefense.com/v3/__https://cwiki.apache.org/confluence/display/NETBEANS/Mailing*lists__;Kw!!ACWV5N9M2RV99hQ!PcyUPMpXuAas86TyrZC0toy3VlmwB6aBFovbYVDr0XdF2x3OJ7Skt1rQE-bvnuO9TqMAAjLACQxXq1QFyU2_8NR8lyiSxg$
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
