On 26/09/18 06:17, Tim Boudreau wrote:
The plugins site could sign modules, but since it aggregates modules from elsewhere, that wouldn't mean much. And if the signature is not tied to the download host, all it means is "someone signed it" - a proxy that injects code and signs the result would be trivial. If it were tied to the download host, module aggregators would be impossible.
Plugins could be digitally signed with PGP keys (ASF digital certificates, anyone?). That would allow us to verify _the content_. That's key in this, IMHO. Signature is not then tied to the download host, but to the ASF itself (or to one of the ASF committers through their PGP key).
HTTPS is not just for protecting sensitive information. It is also for verifying that you're talking to the server you think you are. There is no
We can verify we're talking with a proper ASF mirror, but does says nothing regarding security. The ASF mirror could have been hacked, for instance (Gentoo mirrors were hacked in June 2018 [1]). I still believe security is about the content, not about the transport.
excuse in today's world for not using HTTPS for everything.
Agreed. HTTPS for everything. But also digital signatures for plugins. Cheers, Antonio [1] https://www.theinquirer.net/inquirer/news/3035066/gentoo-github-mirror-hacked --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@netbeans.incubator.apache.org For additional commands, e-mail: dev-h...@netbeans.incubator.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
