Re: NetBeans Plugin Verification - Changing Rules - suddenly not good enough anymore
Ahh sorry Matthias Bläsing and Fabian Bahle.
I read again and understand.
Em seg., 30 de jan. de 2023 às 18:09, Fabian Bahle
escreveu:
> Hi,
>
> I think Matthias Bläsing (correct me if I’m wrong) knows how to sign, but
> the question here is why do we need to sign plugins that were already
> verified for earlier NetBeans versions, what changed in NetBeans 17 that we
> need the signing now?
>
> I did get the same response for my plugins and I just signed them, but I
> was wondering why this is needed now as well.
> I thought I might missed something here and therefore just signed my
> plugins and did a new release.
>
>
> Kind regards,
> Fabian
>
>
> > Am 30.01.2023 um 21:09 schrieb Moacir da Roza :
> >
> > Hi a more detailed explanation, believe they need to be signed with a key
> > included on keystore a more.
> >
> > *1-* Use java key tool on command line
> >
> > keytool -genkey -keyalg RSA -alias *my-key-alias-key* -keystore
> > *keystore.jks* -validity 365
> > Answer all question and password.
> >
> > *2-* Include on pom.xml
> >
> >org.apache.netbeans.utilities
> >nbm-maven-plugin
> >4.7
> >true
> >
> >Moacir da Roza flores-moaci...@gmail.com
> >
> >GNU GENERAL PUBLIC LICENSE
> > 3.0
> >LICENSE
> >
> > *${basedir}/keystore.jks*
> >
> >
> > *${keypass}
> >my-key-alias-key *
> >
> >
> >
> >
> > *3- *Now build passing the password
> > *mvn -Dkeypass=password nbm:nbm*
> >
> >
> >
> >
> >
> > Em seg., 30 de jan. de 2023 às 17:00, Moacir da Roza >
> > escreveu:
> >
> >> I believe they need to be signed with a key included on keystore
> >>
> >> *1-* Use java key tool:
> >>
> >> keytool -genkey -keyalg RSA -alias my-key-alias-key -keystore
> keystore.jks
> >> -validity 365
> >>
> >>
> >> *2-* Include on pom.xml
> >>
> >>org.apache.netbeans.utilities
> >>nbm-maven-plugin
> >>4.7
> >>true
> >>
> >>
> >> ${netbeansInstalationPath}
> -->
> >>${basedir}/keystore.jks
> >>${keypass}
> >>my-key-alias-key
> >>
> >>
> >>
> >>
> >>
> >> Em seg., 30 de jan. de 2023 às 15:03, Matthias Bläsing
> >> escreveu:
> >>
> >>> Hi,
> >>>
> >>> I asked for reverification of three plugins. These plugins:
> >>>
> >>> - PlantUML-NB
> >>> - LDIF Editor
> >>> - LDAP Explorer
> >>>
> >>> are verified for NB 11.0/12.0 till NB 16 version. Nothing was changed
> >>> on the plugins for 17 and now the plugins are not good enough anymore.
> >>> So what is going on?
> >>>
> >>> They are rejected, because they are not signed, fine, but then why is
> >>> that an issue? The signatures gain you nothing as there is no trust
> >>> anchor, we don't distribute blocked author certificates and the
> >>> download from plugin portal is protected by the checksums.
> >>>
> >>> This is bogus, so what changed and why was this not communicated? I
> >>> assume, that I was not the only one suprised by this. What is more, I'd
> >>> need to do a full release cycle without any code changes, without any
> >>> benefit.
> >>>
> >>> Greetings
> >>>
> >>> Matthias
> >>>
> >>> PS: Jiří I added you to direct CC as I'm not sure how closely you
> >>> monitor dev@
> >>>
> >>> -
> >>> To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
> >>> For additional commands, e-mail: dev-h...@netbeans.apache.org
> >>>
> >>> For further information about the NetBeans mailing lists, visit:
> >>> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
> >>>
> >>>
> >>>
> >>>
> >>
> >> --
> >> Moacir R.F
> >> Desenvolvedor de Softwares
> >>
> >> https://www.moacirrf.com.br
> >>
> >
> >
> > --
> > Moacir R.F
> > Desenvolvedor de Softwares
> >
> > https://www.moacirrf.com.br
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
> For additional commands, e-mail: dev-h...@netbeans.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
>
--
Moacir R.F
Desenvolvedor de Softwares
https://www.moacirrf.com.br
Re: NetBeans Plugin Verification - Changing Rules - suddenly not good enough anymore
On Mon, 30 Jan 2023 at 20:08, Matthias Bläsing wrote: > yes, I know how I can sign JARs/NBMs, the point is: This was not > necessary for multiple NetBeans releases. I'm missing the explanation > why something, that was fine for at least 5, releases is now a problem. > > That communication did not happen and was not discussed here. Welcome to the "verification process isn't working" side of the conversation! :-) Yes, this doesn't seem right. These things should be discussed on dev@ We're about to switch to the NB17 plugin portal for 17-rc3 (as agreed with plugin portal verifiers off-list - so far we kept NB16 portal). The more existing plugins that are verified the better. It's one way of checking if we've introduced inadvertent changes in the IDE since the last release. IMO there are two main reasons a plugin that was verified for the last release shouldn't be in this one. The plugin was using implementation versions, in which case it shouldn't have been verified in the first place. Or we broke backwards compatibility, deliberately or inadvertently, and should consider the problem. Other than that, if it was verified fine for 16 I don't see a reason to apply different rules to 17?! Best wishes, Neil - To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org For additional commands, e-mail: dev-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: NetBeans Plugin Verification - Changing Rules - suddenly not good enough anymore
Hi,
I think Matthias Bläsing (correct me if I’m wrong) knows how to sign, but the
question here is why do we need to sign plugins that were already verified for
earlier NetBeans versions, what changed in NetBeans 17 that we need the signing
now?
I did get the same response for my plugins and I just signed them, but I was
wondering why this is needed now as well.
I thought I might missed something here and therefore just signed my plugins
and did a new release.
Kind regards,
Fabian
> Am 30.01.2023 um 21:09 schrieb Moacir da Roza :
>
> Hi a more detailed explanation, believe they need to be signed with a key
> included on keystore a more.
>
> *1-* Use java key tool on command line
>
> keytool -genkey -keyalg RSA -alias *my-key-alias-key* -keystore
> *keystore.jks* -validity 365
> Answer all question and password.
>
> *2-* Include on pom.xml
>
>org.apache.netbeans.utilities
>nbm-maven-plugin
>4.7
>true
>
>Moacir da Roza flores-moaci...@gmail.com
>
>GNU GENERAL PUBLIC LICENSE
> 3.0
>LICENSE
>
> *${basedir}/keystore.jks*
>
>
> *${keypass}
>my-key-alias-key *
>
>
>
>
> *3- *Now build passing the password
> *mvn -Dkeypass=password nbm:nbm*
>
>
>
>
>
> Em seg., 30 de jan. de 2023 às 17:00, Moacir da Roza
> escreveu:
>
>> I believe they need to be signed with a key included on keystore
>>
>> *1-* Use java key tool:
>>
>> keytool -genkey -keyalg RSA -alias my-key-alias-key -keystore keystore.jks
>> -validity 365
>>
>>
>> *2-* Include on pom.xml
>>
>>org.apache.netbeans.utilities
>>nbm-maven-plugin
>>4.7
>>true
>>
>>
>> ${netbeansInstalationPath} -->
>>${basedir}/keystore.jks
>>${keypass}
>>my-key-alias-key
>>
>>
>>
>>
>>
>> Em seg., 30 de jan. de 2023 às 15:03, Matthias Bläsing
>> escreveu:
>>
>>> Hi,
>>>
>>> I asked for reverification of three plugins. These plugins:
>>>
>>> - PlantUML-NB
>>> - LDIF Editor
>>> - LDAP Explorer
>>>
>>> are verified for NB 11.0/12.0 till NB 16 version. Nothing was changed
>>> on the plugins for 17 and now the plugins are not good enough anymore.
>>> So what is going on?
>>>
>>> They are rejected, because they are not signed, fine, but then why is
>>> that an issue? The signatures gain you nothing as there is no trust
>>> anchor, we don't distribute blocked author certificates and the
>>> download from plugin portal is protected by the checksums.
>>>
>>> This is bogus, so what changed and why was this not communicated? I
>>> assume, that I was not the only one suprised by this. What is more, I'd
>>> need to do a full release cycle without any code changes, without any
>>> benefit.
>>>
>>> Greetings
>>>
>>> Matthias
>>>
>>> PS: Jiří I added you to direct CC as I'm not sure how closely you
>>> monitor dev@
>>>
>>> -
>>> To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
>>> For additional commands, e-mail: dev-h...@netbeans.apache.org
>>>
>>> For further information about the NetBeans mailing lists, visit:
>>> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>>>
>>>
>>>
>>>
>>
>> --
>> Moacir R.F
>> Desenvolvedor de Softwares
>>
>> https://www.moacirrf.com.br
>>
>
>
> --
> Moacir R.F
> Desenvolvedor de Softwares
>
> https://www.moacirrf.com.br
-
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: NetBeans Plugin Verification - Changing Rules - suddenly not good enough anymore
Hi a more detailed explanation, believe they need to be signed with a key
included on keystore a more.
*1-* Use java key tool on command line
keytool -genkey -keyalg RSA -alias *my-key-alias-key* -keystore
*keystore.jks* -validity 365
Answer all question and password.
*2-* Include on pom.xml
org.apache.netbeans.utilities
nbm-maven-plugin
4.7
true
Moacir da Roza flores-moaci...@gmail.com
GNU GENERAL PUBLIC LICENSE
3.0
LICENSE
*${basedir}/keystore.jks*
*${keypass}
my-key-alias-key *
*3- *Now build passing the password
*mvn -Dkeypass=password nbm:nbm*
Em seg., 30 de jan. de 2023 às 17:00, Moacir da Roza
escreveu:
> I believe they need to be signed with a key included on keystore
>
> *1-* Use java key tool:
>
> keytool -genkey -keyalg RSA -alias my-key-alias-key -keystore keystore.jks
> -validity 365
>
>
> *2-* Include on pom.xml
>
> org.apache.netbeans.utilities
> nbm-maven-plugin
> 4.7
> true
>
>
> ${netbeansInstalationPath} -->
> ${basedir}/keystore.jks
> ${keypass}
> my-key-alias-key
>
>
>
>
>
> Em seg., 30 de jan. de 2023 às 15:03, Matthias Bläsing
> escreveu:
>
>> Hi,
>>
>> I asked for reverification of three plugins. These plugins:
>>
>> - PlantUML-NB
>> - LDIF Editor
>> - LDAP Explorer
>>
>> are verified for NB 11.0/12.0 till NB 16 version. Nothing was changed
>> on the plugins for 17 and now the plugins are not good enough anymore.
>> So what is going on?
>>
>> They are rejected, because they are not signed, fine, but then why is
>> that an issue? The signatures gain you nothing as there is no trust
>> anchor, we don't distribute blocked author certificates and the
>> download from plugin portal is protected by the checksums.
>>
>> This is bogus, so what changed and why was this not communicated? I
>> assume, that I was not the only one suprised by this. What is more, I'd
>> need to do a full release cycle without any code changes, without any
>> benefit.
>>
>> Greetings
>>
>> Matthias
>>
>> PS: Jiří I added you to direct CC as I'm not sure how closely you
>> monitor dev@
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
>> For additional commands, e-mail: dev-h...@netbeans.apache.org
>>
>> For further information about the NetBeans mailing lists, visit:
>> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>>
>>
>>
>>
>
> --
> Moacir R.F
> Desenvolvedor de Softwares
>
> https://www.moacirrf.com.br
>
--
Moacir R.F
Desenvolvedor de Softwares
https://www.moacirrf.com.br
Re: NetBeans Plugin Verification - Changing Rules - suddenly not good enough anymore
Hi,
yes, I know how I can sign JARs/NBMs, the point is: This was not
necessary for multiple NetBeans releases. I'm missing the explanation
why something, that was fine for at least 5, releases is now a problem.
That communication did not happen and was not discussed here.
Greetings
Matthias
Am Montag, dem 30.01.2023 um 17:00 -0300 schrieb Moacir da Roza:
> I believe they need to be signed with a key included on keystore
>
> *1-* Use java key tool:
>
> keytool -genkey -keyalg RSA -alias my-key-alias-key -keystore keystore.jks
> -validity 365
>
>
> *2-* Include on pom.xml
>
> org.apache.netbeans.utilities
> nbm-maven-plugin
> 4.7
> true
>
>
> ${netbeansInstalationPath} -->
> ${basedir}/keystore.jks
> ${keypass}
> my-key-alias-key
>
>
>
>
>
> Em seg., 30 de jan. de 2023 às 15:03, Matthias Bläsing
> escreveu:
>
> > Hi,
> >
> > I asked for reverification of three plugins. These plugins:
> >
> > - PlantUML-NB
> > - LDIF Editor
> > - LDAP Explorer
> >
> > are verified for NB 11.0/12.0 till NB 16 version. Nothing was changed
> > on the plugins for 17 and now the plugins are not good enough anymore.
> > So what is going on?
> >
> > They are rejected, because they are not signed, fine, but then why is
> > that an issue? The signatures gain you nothing as there is no trust
> > anchor, we don't distribute blocked author certificates and the
> > download from plugin portal is protected by the checksums.
> >
> > This is bogus, so what changed and why was this not communicated? I
> > assume, that I was not the only one suprised by this. What is more, I'd
> > need to do a full release cycle without any code changes, without any
> > benefit.
> >
> > Greetings
> >
> > Matthias
> >
> > PS: Jiří I added you to direct CC as I'm not sure how closely you
> > monitor dev@
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
> > For additional commands, e-mail: dev-h...@netbeans.apache.org
> >
> > For further information about the NetBeans mailing lists, visit:
> > https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
> >
> >
> >
> >
>
-
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: NetBeans Plugin Verification - Changing Rules - suddenly not good enough anymore
I believe they need to be signed with a key included on keystore
*1-* Use java key tool:
keytool -genkey -keyalg RSA -alias my-key-alias-key -keystore keystore.jks
-validity 365
*2-* Include on pom.xml
org.apache.netbeans.utilities
nbm-maven-plugin
4.7
true
${netbeansInstalationPath} -->
${basedir}/keystore.jks
${keypass}
my-key-alias-key
Em seg., 30 de jan. de 2023 às 15:03, Matthias Bläsing
escreveu:
> Hi,
>
> I asked for reverification of three plugins. These plugins:
>
> - PlantUML-NB
> - LDIF Editor
> - LDAP Explorer
>
> are verified for NB 11.0/12.0 till NB 16 version. Nothing was changed
> on the plugins for 17 and now the plugins are not good enough anymore.
> So what is going on?
>
> They are rejected, because they are not signed, fine, but then why is
> that an issue? The signatures gain you nothing as there is no trust
> anchor, we don't distribute blocked author certificates and the
> download from plugin portal is protected by the checksums.
>
> This is bogus, so what changed and why was this not communicated? I
> assume, that I was not the only one suprised by this. What is more, I'd
> need to do a full release cycle without any code changes, without any
> benefit.
>
> Greetings
>
> Matthias
>
> PS: Jiří I added you to direct CC as I'm not sure how closely you
> monitor dev@
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
> For additional commands, e-mail: dev-h...@netbeans.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
>
--
Moacir R.F
Desenvolvedor de Softwares
https://www.moacirrf.com.br
NetBeans Plugin Verification - Changing Rules - suddenly not good enough anymore
Hi, I asked for reverification of three plugins. These plugins: - PlantUML-NB - LDIF Editor - LDAP Explorer are verified for NB 11.0/12.0 till NB 16 version. Nothing was changed on the plugins for 17 and now the plugins are not good enough anymore. So what is going on? They are rejected, because they are not signed, fine, but then why is that an issue? The signatures gain you nothing as there is no trust anchor, we don't distribute blocked author certificates and the download from plugin portal is protected by the checksums. This is bogus, so what changed and why was this not communicated? I assume, that I was not the only one suprised by this. What is more, I'd need to do a full release cycle without any code changes, without any benefit. Greetings Matthias PS: Jiří I added you to direct CC as I'm not sure how closely you monitor dev@ - To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org For additional commands, e-mail: dev-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
