On Mon, Feb 20, 2023 at 3:28 PM Eric Bresie <ebre...@gmail.com> wrote:
> Isn’t the whole reason for signed plugins to ensure they are provided by a > trusted source and not tampered with by bad actors? If no signing, does > that add a risk of possible tainted plugins with malicious intent? > > Eric > That should be the case. Of course that also means that self-signed plugins shouldn't be accepted either. Jiří Kovalský: wrote: > > It says nothing about not signed plugins but we came to the conclusion > > that if self-signed plugins are explicitly tolerated then not-signed one > > should not. Which seems backwards to me. If you allow self-signed, which is effectively useless for verifying anything, then you should allow not signed as it has the same security. If certificate authorities weren't overcharging so much for a signing certificate it wouldn't be an issue for Open Source developers that are essentially working for free - who can afford to maintain a signing certificate for free work? Perhaps NetBeans/Apache should create certificates for plugin developers or offer a signing service? Scott > > On Mon, Feb 20, 2023 at 1:37 PM Matthias Bläsing > <mblaes...@doppel-helix.eu.invalid> wrote: > > > Hi Jiří, > > > > Am Freitag, dem 17.02.2023 um 18:49 +0100 schrieb Jiří Kovalský: > > > Anyway, I can give the context here. :) About two months ago Mani > > > (Cc:ed here) joined the team of plugin verifiers as a new volunteer and > > > during the introductory call with him we talked about whether plugins > > > should be signed. As per the Plugin Verification specification [1] the > > > installation instructions only mention: > > > > > > 1.8 If validation warning about self-signed certificate is displayed, > > > accept it by clicking Continue button. > > > > > > [1] > > > > > > https://synergy.netbeans.apache.org/#/title/verification_of_apache_netbeans_plugin/ > > > > > > It says nothing about not signed plugins but we came to the conclusion > > > that if self-signed plugins are explicitly tolerated then not-signed > one > > > should not. > > > > > > However, if you and Neil think that the signature check should be > > > excluded completely and NetBeans community supports it, let's remove > it. > > > And even more if the whole verification process is seen as useless then > > > let's have an official community voting and then get rid of it! > > > > I have mixed feeling about this, but my surprise did not come from the > > requirement to sign the package, but from the change in policy. If the > > plugin had not been approved multiple time before, I might have just > > shrugged if off, this way it felt very irritating. > > > > Anyway, I want to focus on other things, so for now lets keep it as is. > > Seems to be working. > > > > > As an immediate fix I have changed my NoGo to Go for all your 3 plugins > > > and hereby ask Carlos/Geertjan/Mani to do the same if they agree. > > > > Thank you. > > > > Greetings > > > > Matthias > >