Sounds good, thanks Jirka. Gj
On Fri, 12 Jul 2024 at 19:27, Jiří Kovalský <[email protected]> wrote: > Since there has been no further communication on this topic, let's take > this as a lazy consensus that signatures won't be considered at all when > verifying plugins going forward. I have updated step 8 in the "Install > plugin" Synergy test accordingly: > > https://synergy.netbeans.apache.org/#/case/6314/suite/2525/v/1 > > Anyone please speak up if you disagree. > > Mani, Carlos, Geertjan - FYI > > Thanks, > -Jirka > > Dne 14. 08. 23 v 19:44 Neil C Smith napsal(a): > > On Sun, 13 Aug 2023 at 21:10, Matthias Bläsing > > <[email protected]> wrote: > >> Reasoning: > >> > >> Plugin unsigned. Please sign (self-signed is ok) and re-submit for > >> verification > >> > >> This was not a problem in: 11, 12, 16 and 17. > >> > >> _Nothing_ changed for these plugins and I don't see why I should was > >> resources in CI/CD systems and on maven central, just to "fix" > >> something, that was not broken for a long time. > > > > Yes, anything that was previously verified should be allowed through > > unless it's actually broken. We have a limited RC window for people > > to test with plugins as it is. Making plugin authors jump through > > unnecessary hoops doesn't help there. > > > >> The requirement to sign the plugins is questionable in itself without a > >> trust anchor or revocation list, but I can live with with requiring > >> signature for updates (this will become fun, once the signature > >> expires, but ...) > > > > Agreed! And we have SHA in the catalog which I assume are checked?! > > > > As you've raised this before, I would suggest you just kick off a lazy > > consensus thread on removing the self-sign requirement. Or on the > > validation rules as a whole. > > > > Best wishes, > > > > Neil >
