You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@netbeans.apache.org by Matthias Bläsing <mb...@doppel-helix.eu.INVALID> on 2023/01/30 18:03:32 UTC
NetBeans Plugin Verification - Changing Rules - suddenly not good enough anymore
Hi,
I asked for reverification of three plugins. These plugins:
- PlantUML-NB
- LDIF Editor
- LDAP Explorer
are verified for NB 11.0/12.0 till NB 16 version. Nothing was changed
on the plugins for 17 and now the plugins are not good enough anymore.
So what is going on?
They are rejected, because they are not signed, fine, but then why is
that an issue? The signatures gain you nothing as there is no trust
anchor, we don't distribute blocked author certificates and the
download from plugin portal is protected by the checksums.
This is bogus, so what changed and why was this not communicated? I
assume, that I was not the only one suprised by this. What is more, I'd
need to do a full release cycle without any code changes, without any
benefit.
Greetings
Matthias
PS: Jiří I added you to direct CC as I'm not sure how closely you
monitor dev@
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: [External] : No communication from plugin portal verifiers (do we need to drop plugin portal?)
Posted by Scott Palmer <sw...@gmail.com>.
On Mon, Feb 20, 2023 at 3:28 PM Eric Bresie <eb...@gmail.com> wrote:
> Isn’t the whole reason for signed plugins to ensure they are provided by a
> trusted source and not tampered with by bad actors? If no signing, does
> that add a risk of possible tainted plugins with malicious intent?
>
> Eric
>
That should be the case. Of course that also means that self-signed plugins
shouldn't be accepted either.
Jiří Kovalský: wrote:
> > It says nothing about not signed plugins but we came to the conclusion
> > that if self-signed plugins are explicitly tolerated then not-signed one
> > should not.
Which seems backwards to me. If you allow self-signed, which is
effectively useless for verifying anything, then you should allow
not signed as it has the same security.
If certificate authorities weren't overcharging so much for a signing
certificate it wouldn't be an issue for Open Source developers that are
essentially working for free - who can afford to maintain a signing
certificate for free work?
Perhaps NetBeans/Apache should create certificates for plugin developers or
offer a signing service?
Scott
>
> On Mon, Feb 20, 2023 at 1:37 PM Matthias Bläsing
> <mb...@doppel-helix.eu.invalid> wrote:
>
> > Hi Jiří,
> >
> > Am Freitag, dem 17.02.2023 um 18:49 +0100 schrieb Jiří Kovalský:
> > > Anyway, I can give the context here. :) About two months ago Mani
> > > (Cc:ed here) joined the team of plugin verifiers as a new volunteer and
> > > during the introductory call with him we talked about whether plugins
> > > should be signed. As per the Plugin Verification specification [1] the
> > > installation instructions only mention:
> > >
> > > 1.8 If validation warning about self-signed certificate is displayed,
> > > accept it by clicking Continue button.
> > >
> > > [1]
> > >
> >
> https://synergy.netbeans.apache.org/#/title/verification_of_apache_netbeans_plugin/
> > >
> > > It says nothing about not signed plugins but we came to the conclusion
> > > that if self-signed plugins are explicitly tolerated then not-signed
> one
> > > should not.
> > >
> > > However, if you and Neil think that the signature check should be
> > > excluded completely and NetBeans community supports it, let's remove
> it.
> > > And even more if the whole verification process is seen as useless then
> > > let's have an official community voting and then get rid of it!
> >
> > I have mixed feeling about this, but my surprise did not come from the
> > requirement to sign the package, but from the change in policy. If the
> > plugin had not been approved multiple time before, I might have just
> > shrugged if off, this way it felt very irritating.
> >
> > Anyway, I want to focus on other things, so for now lets keep it as is.
> > Seems to be working.
> >
> > > As an immediate fix I have changed my NoGo to Go for all your 3 plugins
> > > and hereby ask Carlos/Geertjan/Mani to do the same if they agree.
> >
> > Thank you.
> >
> > Greetings
> >
> > Matthias
>
>
Re: [External] : No communication from plugin portal verifiers (do we need to drop plugin portal?)
Posted by Michael Bien <mb...@gmail.com>.
all plugins of the plugin portal which were verified against your
version of NetBeans will be shown in the plugin manager
-mbien
On 20.02.23 21:30, Chris wrote:
> Hey,
>
> as far as I can remember, signed plugins are shown in the plugin manager
> of NetBeans itself. This was the point under oracle. Dunno whether this
> changed or not.
>
>
> Cheers
>
> Chris
>
> Am 20.02.2023 um 21:28 schrieb Eric Bresie:
>> Isn’t the whole reason for signed plugins to ensure they are provided
>> by a
>> trusted source and not tampered with by bad actors? If no signing, does
>> that add a risk of possible tainted plugins with malicious intent?
>>
>> Eric
>>
>> On Mon, Feb 20, 2023 at 1:37 PM Matthias Bläsing
>> <mb...@doppel-helix.eu.invalid> wrote:
>>
>>> Hi Jiří,
>>>
>>> Am Freitag, dem 17.02.2023 um 18:49 +0100 schrieb Jiří Kovalský:
>>>> Anyway, I can give the context here. :) About two months ago Mani
>>>> (Cc:ed here) joined the team of plugin verifiers as a new volunteer
>>>> and
>>>> during the introductory call with him we talked about whether plugins
>>>> should be signed. As per the Plugin Verification specification [1] the
>>>> installation instructions only mention:
>>>>
>>>> 1.8 If validation warning about self-signed certificate is displayed,
>>>> accept it by clicking Continue button.
>>>>
>>>> [1]
>>>>
>>> https://synergy.netbeans.apache.org/#/title/verification_of_apache_netbeans_plugin/
>>>
>>>> It says nothing about not signed plugins but we came to the conclusion
>>>> that if self-signed plugins are explicitly tolerated then
>>>> not-signed one
>>>> should not.
>>>>
>>>> However, if you and Neil think that the signature check should be
>>>> excluded completely and NetBeans community supports it, let's
>>>> remove it.
>>>> And even more if the whole verification process is seen as useless
>>>> then
>>>> let's have an official community voting and then get rid of it!
>>> I have mixed feeling about this, but my surprise did not come from the
>>> requirement to sign the package, but from the change in policy. If the
>>> plugin had not been approved multiple time before, I might have just
>>> shrugged if off, this way it felt very irritating.
>>>
>>> Anyway, I want to focus on other things, so for now lets keep it as is.
>>> Seems to be working.
>>>
>>>> As an immediate fix I have changed my NoGo to Go for all your 3
>>>> plugins
>>>> and hereby ask Carlos/Geertjan/Mani to do the same if they agree.
>>> Thank you.
>>>
>>> Greetings
>>>
>>> Matthias
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
>>> For additional commands, e-mail: dev-help@netbeans.apache.org
>>>
>>> For further information about the NetBeans mailing lists, visit:
>>> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>>>
>>>
>>>
>>> --
>> Eric Bresie
>> ebresie@gmail.com
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> For additional commands, e-mail: dev-help@netbeans.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: [External] : No communication from plugin portal verifiers (do we need to drop plugin portal?)
Posted by Chris <ch...@gmx.net>.
Hey,
as far as I can remember, signed plugins are shown in the plugin manager
of NetBeans itself. This was the point under oracle. Dunno whether this
changed or not.
Cheers
Chris
Am 20.02.2023 um 21:28 schrieb Eric Bresie:
> Isn’t the whole reason for signed plugins to ensure they are provided by a
> trusted source and not tampered with by bad actors? If no signing, does
> that add a risk of possible tainted plugins with malicious intent?
>
> Eric
>
> On Mon, Feb 20, 2023 at 1:37 PM Matthias Bläsing
> <mb...@doppel-helix.eu.invalid> wrote:
>
>> Hi Jiří,
>>
>> Am Freitag, dem 17.02.2023 um 18:49 +0100 schrieb Jiří Kovalský:
>>> Anyway, I can give the context here. :) About two months ago Mani
>>> (Cc:ed here) joined the team of plugin verifiers as a new volunteer and
>>> during the introductory call with him we talked about whether plugins
>>> should be signed. As per the Plugin Verification specification [1] the
>>> installation instructions only mention:
>>>
>>> 1.8 If validation warning about self-signed certificate is displayed,
>>> accept it by clicking Continue button.
>>>
>>> [1]
>>>
>> https://synergy.netbeans.apache.org/#/title/verification_of_apache_netbeans_plugin/
>>> It says nothing about not signed plugins but we came to the conclusion
>>> that if self-signed plugins are explicitly tolerated then not-signed one
>>> should not.
>>>
>>> However, if you and Neil think that the signature check should be
>>> excluded completely and NetBeans community supports it, let's remove it.
>>> And even more if the whole verification process is seen as useless then
>>> let's have an official community voting and then get rid of it!
>> I have mixed feeling about this, but my surprise did not come from the
>> requirement to sign the package, but from the change in policy. If the
>> plugin had not been approved multiple time before, I might have just
>> shrugged if off, this way it felt very irritating.
>>
>> Anyway, I want to focus on other things, so for now lets keep it as is.
>> Seems to be working.
>>
>>> As an immediate fix I have changed my NoGo to Go for all your 3 plugins
>>> and hereby ask Carlos/Geertjan/Mani to do the same if they agree.
>> Thank you.
>>
>> Greetings
>>
>> Matthias
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
>> For additional commands, e-mail: dev-help@netbeans.apache.org
>>
>> For further information about the NetBeans mailing lists, visit:
>> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>>
>>
>>
>> --
> Eric Bresie
> ebresie@gmail.com
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: [External] : No communication from plugin portal verifiers (do we need to drop plugin portal?)
Posted by ma...@gmail.com.
Good morning/Evening,
I am late to the party and would like to add why I gave a no-go because the
plugin was not signed.
This from history and relates to my own published plugins in previous
releases.
I was given no-go because the plugin was not signed. ON re-submitting a
signed(self-signed) plugin it was approved.
I followed the same practice in giving your plugins a no-go with similar
advice.
*Cheers*
Mani/Naren/Iyer
*The trick of walking on water is knowing where the stones are.*
On Tue, Feb 21, 2023 at 1:58 AM Eric Bresie <eb...@gmail.com> wrote:
> Isn’t the whole reason for signed plugins to ensure they are provided by a
> trusted source and not tampered with by bad actors? If no signing, does
> that add a risk of possible tainted plugins with malicious intent?
>
> Eric
>
> On Mon, Feb 20, 2023 at 1:37 PM Matthias Bläsing
> <mb...@doppel-helix.eu.invalid> wrote:
>
>> Hi Jiří,
>>
>> Am Freitag, dem 17.02.2023 um 18:49 +0100 schrieb Jiří Kovalský:
>> > Anyway, I can give the context here. :) About two months ago Mani
>> > (Cc:ed here) joined the team of plugin verifiers as a new volunteer and
>> > during the introductory call with him we talked about whether plugins
>> > should be signed. As per the Plugin Verification specification [1] the
>> > installation instructions only mention:
>> >
>> > 1.8 If validation warning about self-signed certificate is displayed,
>> > accept it by clicking Continue button.
>> >
>> > [1]
>> >
>> https://synergy.netbeans.apache.org/#/title/verification_of_apache_netbeans_plugin/
>> >
>> > It says nothing about not signed plugins but we came to the conclusion
>> > that if self-signed plugins are explicitly tolerated then not-signed
>> one
>> > should not.
>> >
>> > However, if you and Neil think that the signature check should be
>> > excluded completely and NetBeans community supports it, let's remove
>> it.
>> > And even more if the whole verification process is seen as useless then
>> > let's have an official community voting and then get rid of it!
>>
>> I have mixed feeling about this, but my surprise did not come from the
>> requirement to sign the package, but from the change in policy. If the
>> plugin had not been approved multiple time before, I might have just
>> shrugged if off, this way it felt very irritating.
>>
>> Anyway, I want to focus on other things, so for now lets keep it as is.
>> Seems to be working.
>>
>> > As an immediate fix I have changed my NoGo to Go for all your 3 plugins
>> > and hereby ask Carlos/Geertjan/Mani to do the same if they agree.
>>
>> Thank you.
>>
>> Greetings
>>
>> Matthias
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
>> For additional commands, e-mail: dev-help@netbeans.apache.org
>>
>> For further information about the NetBeans mailing lists, visit:
>> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>>
>>
>>
>> --
> Eric Bresie
> ebresie@gmail.com
>
Re: [External] : No communication from plugin portal verifiers (do we need to drop plugin portal?)
Posted by Eric Bresie <eb...@gmail.com>.
Isn’t the whole reason for signed plugins to ensure they are provided by a
trusted source and not tampered with by bad actors? If no signing, does
that add a risk of possible tainted plugins with malicious intent?
Eric
On Mon, Feb 20, 2023 at 1:37 PM Matthias Bläsing
<mb...@doppel-helix.eu.invalid> wrote:
> Hi Jiří,
>
> Am Freitag, dem 17.02.2023 um 18:49 +0100 schrieb Jiří Kovalský:
> > Anyway, I can give the context here. :) About two months ago Mani
> > (Cc:ed here) joined the team of plugin verifiers as a new volunteer and
> > during the introductory call with him we talked about whether plugins
> > should be signed. As per the Plugin Verification specification [1] the
> > installation instructions only mention:
> >
> > 1.8 If validation warning about self-signed certificate is displayed,
> > accept it by clicking Continue button.
> >
> > [1]
> >
> https://synergy.netbeans.apache.org/#/title/verification_of_apache_netbeans_plugin/
> >
> > It says nothing about not signed plugins but we came to the conclusion
> > that if self-signed plugins are explicitly tolerated then not-signed one
> > should not.
> >
> > However, if you and Neil think that the signature check should be
> > excluded completely and NetBeans community supports it, let's remove it.
> > And even more if the whole verification process is seen as useless then
> > let's have an official community voting and then get rid of it!
>
> I have mixed feeling about this, but my surprise did not come from the
> requirement to sign the package, but from the change in policy. If the
> plugin had not been approved multiple time before, I might have just
> shrugged if off, this way it felt very irritating.
>
> Anyway, I want to focus on other things, so for now lets keep it as is.
> Seems to be working.
>
> > As an immediate fix I have changed my NoGo to Go for all your 3 plugins
> > and hereby ask Carlos/Geertjan/Mani to do the same if they agree.
>
> Thank you.
>
> Greetings
>
> Matthias
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> For additional commands, e-mail: dev-help@netbeans.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
> --
Eric Bresie
ebresie@gmail.com
Re: [External] : No communication from plugin portal verifiers (do we need to drop plugin portal?)
Posted by Matthias Bläsing <mb...@doppel-helix.eu.INVALID>.
Hi Jiří,
Am Freitag, dem 17.02.2023 um 18:49 +0100 schrieb Jiří Kovalský:
> Anyway, I can give the context here. :) About two months ago Mani
> (Cc:ed here) joined the team of plugin verifiers as a new volunteer and
> during the introductory call with him we talked about whether plugins
> should be signed. As per the Plugin Verification specification [1] the
> installation instructions only mention:
>
> 1.8 If validation warning about self-signed certificate is displayed,
> accept it by clicking Continue button.
>
> [1]
> https://synergy.netbeans.apache.org/#/title/verification_of_apache_netbeans_plugin/
>
> It says nothing about not signed plugins but we came to the conclusion
> that if self-signed plugins are explicitly tolerated then not-signed one
> should not.
>
> However, if you and Neil think that the signature check should be
> excluded completely and NetBeans community supports it, let's remove it.
> And even more if the whole verification process is seen as useless then
> let's have an official community voting and then get rid of it!
I have mixed feeling about this, but my surprise did not come from the
requirement to sign the package, but from the change in policy. If the
plugin had not been approved multiple time before, I might have just
shrugged if off, this way it felt very irritating.
Anyway, I want to focus on other things, so for now lets keep it as is.
Seems to be working.
> As an immediate fix I have changed my NoGo to Go for all your 3 plugins
> and hereby ask Carlos/Geertjan/Mani to do the same if they agree.
Thank you.
Greetings
Matthias
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: [External] : No communication from plugin portal verifiers (do we need to drop plugin portal?)
Posted by Jiří Kovalský <ji...@oracle.com>.
Hi Matthias,
first of all sorry for not reacting to your question sooner but I
was busy lately so I didn't check the list and the direct message for
some reason didn't end up in the Inbox too. :(
Anyway, I can give the context here. :) About two months ago Mani
(Cc:ed here) joined the team of plugin verifiers as a new volunteer and
during the introductory call with him we talked about whether plugins
should be signed. As per the Plugin Verification specification [1] the
installation instructions only mention:
1.8 If validation warning about self-signed certificate is displayed,
accept it by clicking Continue button.
[1]
https://synergy.netbeans.apache.org/#/title/verification_of_apache_netbeans_plugin/
It says nothing about not signed plugins but we came to the conclusion
that if self-signed plugins are explicitly tolerated then not-signed one
should not.
However, if you and Neil think that the signature check should be
excluded completely and NetBeans community supports it, let's remove it.
And even more if the whole verification process is seen as useless then
let's have an official community voting and then get rid of it!
As an immediate fix I have changed my NoGo to Go for all your 3 plugins
and hereby ask Carlos/Geertjan/Mani to do the same if they agree.
Hope this helps,
-Jirka
Dne 16. 02. 23 v 19:46 Matthias Bläsing napsal(a):
> Hi again,
>
> this is getting ridiculous. There are zero replies here (apart from
> telling me things I already now) and no verifiers reacts.
>
> I'm currently thinking, that we need a different approach to the Plugin
> Portal, as there is zero communication. This is the place authors are
> pointed and here they don't get an anwser.
>
> There is still no statement why my plugins suddenly get rejected,
> although they were fine for multiple releases.
>
> Greetings
>
> Matthias
>
> Am Montag, dem 30.01.2023 um 19:03 +0100 schrieb Matthias Bläsing:
>> Hi,
>>
>> I asked for reverification of three plugins. These plugins:
>>
>> - PlantUML-NB
>> - LDIF Editor
>> - LDAP Explorer
>>
>> are verified for NB 11.0/12.0 till NB 16 version. Nothing was changed
>> on the plugins for 17 and now the plugins are not good enough anymore.
>> So what is going on?
>>
>> They are rejected, because they are not signed, fine, but then why is
>> that an issue? The signatures gain you nothing as there is no trust
>> anchor, we don't distribute blocked author certificates and the
>> download from plugin portal is protected by the checksums.
>>
>> This is bogus, so what changed and why was this not communicated? I
>> assume, that I was not the only one suprised by this. What is more, I'd
>> need to do a full release cycle without any code changes, without any
>> benefit.
>>
>> Greetings
>>
>> Matthias
>>
>> PS: Jiří I added you to direct CC as I'm not sure how closely you
>> monitor dev@
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
>> For additional commands, e-mail: dev-help@netbeans.apache.org
>>
>> For further information about the NetBeans mailing lists, visit:
>> https://urldefense.com/v3/__https://cwiki.apache.org/confluence/display/NETBEANS/Mailing*lists__;Kw!!ACWV5N9M2RV99hQ!PcyUPMpXuAas86TyrZC0toy3VlmwB6aBFovbYVDr0XdF2x3OJ7Skt1rQE-bvnuO9TqMAAjLACQxXq1QFyU2_8NR8lyiSxg$
>>
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
No communication from plugin portal verifiers (do we need to drop plugin portal?)
Posted by Matthias Bläsing <mb...@doppel-helix.eu.INVALID>.
Hi again,
this is getting ridiculous. There are zero replies here (apart from
telling me things I already now) and no verifiers reacts.
I'm currently thinking, that we need a different approach to the Plugin
Portal, as there is zero communication. This is the place authors are
pointed and here they don't get an anwser.
There is still no statement why my plugins suddenly get rejected,
although they were fine for multiple releases.
Greetings
Matthias
Am Montag, dem 30.01.2023 um 19:03 +0100 schrieb Matthias Bläsing:
> Hi,
>
> I asked for reverification of three plugins. These plugins:
>
> - PlantUML-NB
> - LDIF Editor
> - LDAP Explorer
>
> are verified for NB 11.0/12.0 till NB 16 version. Nothing was changed
> on the plugins for 17 and now the plugins are not good enough anymore.
> So what is going on?
>
> They are rejected, because they are not signed, fine, but then why is
> that an issue? The signatures gain you nothing as there is no trust
> anchor, we don't distribute blocked author certificates and the
> download from plugin portal is protected by the checksums.
>
> This is bogus, so what changed and why was this not communicated? I
> assume, that I was not the only one suprised by this. What is more, I'd
> need to do a full release cycle without any code changes, without any
> benefit.
>
> Greetings
>
> Matthias
>
> PS: Jiří I added you to direct CC as I'm not sure how closely you
> monitor dev@
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> For additional commands, e-mail: dev-help@netbeans.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: NetBeans Plugin Verification - Changing Rules - suddenly not good enough anymore
Posted by Moacir da Roza <mo...@gmail.com>.
Ahh sorry Matthias Bläsing and Fabian Bahle.
I read again and understand.
Em seg., 30 de jan. de 2023 às 18:09, Fabian Bahle <in...@funfried.de>
escreveu:
> Hi,
>
> I think Matthias Bläsing (correct me if I’m wrong) knows how to sign, but
> the question here is why do we need to sign plugins that were already
> verified for earlier NetBeans versions, what changed in NetBeans 17 that we
> need the signing now?
>
> I did get the same response for my plugins and I just signed them, but I
> was wondering why this is needed now as well.
> I thought I might missed something here and therefore just signed my
> plugins and did a new release.
>
>
> Kind regards,
> Fabian
>
>
> > Am 30.01.2023 um 21:09 schrieb Moacir da Roza <mo...@gmail.com>:
> >
> > Hi a more detailed explanation, believe they need to be signed with a key
> > included on keystore a more.
> >
> > *1-* Use java key tool on command line
> >
> > keytool -genkey -keyalg RSA -alias *my-key-alias-key* -keystore
> > *keystore.jks* -validity 365
> > Answer all question and password.
> >
> > *2-* Include on pom.xml
> > <plugin>
> > <groupId>org.apache.netbeans.utilities</groupId>
> > <artifactId>nbm-maven-plugin</artifactId>
> > <version>4.7</version>
> > <extensions>true</extensions>
> > <configuration>
> > <author>Moacir da Roza Flores-moacirrf@gmail.com
> > </author>
> > <licenseName>GNU GENERAL PUBLIC LICENSE
> > 3.0</licenseName>
> > <licenseFile>LICENSE</licenseFile>
> >
> > * <keystore>${basedir}/keystore.jks</keystore>*
> > <!- is more safe don't use a password hardcoded, so use a variable -->
> >
> > * <keystorepassword>${keypass}</keystorepassword>
> > <keystorealias>my-key-alias-key</keystorealias> *
> >
> > </configuration>
> > </plugin>
> >
> > *3- *Now build passing the password
> > *mvn -Dkeypass=password nbm:nbm*
> >
> >
> >
> >
> >
> > Em seg., 30 de jan. de 2023 às 17:00, Moacir da Roza <moacirrf@gmail.com
> >
> > escreveu:
> >
> >> I believe they need to be signed with a key included on keystore
> >>
> >> *1-* Use java key tool:
> >>
> >> keytool -genkey -keyalg RSA -alias my-key-alias-key -keystore
> keystore.jks
> >> -validity 365
> >>
> >>
> >> *2-* Include on pom.xml
> >> <plugin>
> >> <groupId>org.apache.netbeans.utilities</groupId>
> >> <artifactId>nbm-maven-plugin</artifactId>
> >> <version>4.7</version>
> >> <extensions>true</extensions>
> >> <configuration>
> >>
> >> <netbeansInstallation>${netbeansInstalationPath}</netbeansInstallation>
> -->
> >> <keystore>${basedir}/keystore.jks</keystore>
> >> <keystorepassword>${keypass}</keystorepassword>
> >> <keystorealias>my-key-alias-key</keystorealias>
> >>
> >> </configuration>
> >> </plugin>
> >> ....
> >>
> >> Em seg., 30 de jan. de 2023 às 15:03, Matthias Bläsing
> >> <mb...@doppel-helix.eu.invalid> escreveu:
> >>
> >>> Hi,
> >>>
> >>> I asked for reverification of three plugins. These plugins:
> >>>
> >>> - PlantUML-NB
> >>> - LDIF Editor
> >>> - LDAP Explorer
> >>>
> >>> are verified for NB 11.0/12.0 till NB 16 version. Nothing was changed
> >>> on the plugins for 17 and now the plugins are not good enough anymore.
> >>> So what is going on?
> >>>
> >>> They are rejected, because they are not signed, fine, but then why is
> >>> that an issue? The signatures gain you nothing as there is no trust
> >>> anchor, we don't distribute blocked author certificates and the
> >>> download from plugin portal is protected by the checksums.
> >>>
> >>> This is bogus, so what changed and why was this not communicated? I
> >>> assume, that I was not the only one suprised by this. What is more, I'd
> >>> need to do a full release cycle without any code changes, without any
> >>> benefit.
> >>>
> >>> Greetings
> >>>
> >>> Matthias
> >>>
> >>> PS: Jiří I added you to direct CC as I'm not sure how closely you
> >>> monitor dev@
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> >>> For additional commands, e-mail: dev-help@netbeans.apache.org
> >>>
> >>> For further information about the NetBeans mailing lists, visit:
> >>> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
> >>>
> >>>
> >>>
> >>>
> >>
> >> --
> >> Moacir R.F
> >> Desenvolvedor de Softwares
> >>
> >> https://www.moacirrf.com.br <http://www.moacirrf.com.br>
> >>
> >
> >
> > --
> > Moacir R.F
> > Desenvolvedor de Softwares
> >
> > https://www.moacirrf.com.br <http://www.moacirrf.com.br>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> For additional commands, e-mail: dev-help@netbeans.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
>
--
Moacir R.F
Desenvolvedor de Softwares
https://www.moacirrf.com.br <http://www.moacirrf.com.br>
Re: NetBeans Plugin Verification - Changing Rules - suddenly not good enough anymore
Posted by Fabian Bahle <in...@funfried.de>.
Hi,
I think Matthias Bläsing (correct me if I’m wrong) knows how to sign, but the question here is why do we need to sign plugins that were already verified for earlier NetBeans versions, what changed in NetBeans 17 that we need the signing now?
I did get the same response for my plugins and I just signed them, but I was wondering why this is needed now as well.
I thought I might missed something here and therefore just signed my plugins and did a new release.
Kind regards,
Fabian
> Am 30.01.2023 um 21:09 schrieb Moacir da Roza <mo...@gmail.com>:
>
> Hi a more detailed explanation, believe they need to be signed with a key
> included on keystore a more.
>
> *1-* Use java key tool on command line
>
> keytool -genkey -keyalg RSA -alias *my-key-alias-key* -keystore
> *keystore.jks* -validity 365
> Answer all question and password.
>
> *2-* Include on pom.xml
> <plugin>
> <groupId>org.apache.netbeans.utilities</groupId>
> <artifactId>nbm-maven-plugin</artifactId>
> <version>4.7</version>
> <extensions>true</extensions>
> <configuration>
> <author>Moacir da Roza Flores-moacirrf@gmail.com
> </author>
> <licenseName>GNU GENERAL PUBLIC LICENSE
> 3.0</licenseName>
> <licenseFile>LICENSE</licenseFile>
>
> * <keystore>${basedir}/keystore.jks</keystore>*
> <!- is more safe don't use a password hardcoded, so use a variable -->
>
> * <keystorepassword>${keypass}</keystorepassword>
> <keystorealias>my-key-alias-key</keystorealias> *
>
> </configuration>
> </plugin>
>
> *3- *Now build passing the password
> *mvn -Dkeypass=password nbm:nbm*
>
>
>
>
>
> Em seg., 30 de jan. de 2023 às 17:00, Moacir da Roza <mo...@gmail.com>
> escreveu:
>
>> I believe they need to be signed with a key included on keystore
>>
>> *1-* Use java key tool:
>>
>> keytool -genkey -keyalg RSA -alias my-key-alias-key -keystore keystore.jks
>> -validity 365
>>
>>
>> *2-* Include on pom.xml
>> <plugin>
>> <groupId>org.apache.netbeans.utilities</groupId>
>> <artifactId>nbm-maven-plugin</artifactId>
>> <version>4.7</version>
>> <extensions>true</extensions>
>> <configuration>
>>
>> <netbeansInstallation>${netbeansInstalationPath}</netbeansInstallation> -->
>> <keystore>${basedir}/keystore.jks</keystore>
>> <keystorepassword>${keypass}</keystorepassword>
>> <keystorealias>my-key-alias-key</keystorealias>
>>
>> </configuration>
>> </plugin>
>> ....
>>
>> Em seg., 30 de jan. de 2023 às 15:03, Matthias Bläsing
>> <mb...@doppel-helix.eu.invalid> escreveu:
>>
>>> Hi,
>>>
>>> I asked for reverification of three plugins. These plugins:
>>>
>>> - PlantUML-NB
>>> - LDIF Editor
>>> - LDAP Explorer
>>>
>>> are verified for NB 11.0/12.0 till NB 16 version. Nothing was changed
>>> on the plugins for 17 and now the plugins are not good enough anymore.
>>> So what is going on?
>>>
>>> They are rejected, because they are not signed, fine, but then why is
>>> that an issue? The signatures gain you nothing as there is no trust
>>> anchor, we don't distribute blocked author certificates and the
>>> download from plugin portal is protected by the checksums.
>>>
>>> This is bogus, so what changed and why was this not communicated? I
>>> assume, that I was not the only one suprised by this. What is more, I'd
>>> need to do a full release cycle without any code changes, without any
>>> benefit.
>>>
>>> Greetings
>>>
>>> Matthias
>>>
>>> PS: Jiří I added you to direct CC as I'm not sure how closely you
>>> monitor dev@
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
>>> For additional commands, e-mail: dev-help@netbeans.apache.org
>>>
>>> For further information about the NetBeans mailing lists, visit:
>>> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>>>
>>>
>>>
>>>
>>
>> --
>> Moacir R.F
>> Desenvolvedor de Softwares
>>
>> https://www.moacirrf.com.br <http://www.moacirrf.com.br>
>>
>
>
> --
> Moacir R.F
> Desenvolvedor de Softwares
>
> https://www.moacirrf.com.br <http://www.moacirrf.com.br>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: NetBeans Plugin Verification - Changing Rules - suddenly not good enough anymore
Posted by Moacir da Roza <mo...@gmail.com>.
Hi a more detailed explanation, believe they need to be signed with a key
included on keystore a more.
*1-* Use java key tool on command line
keytool -genkey -keyalg RSA -alias *my-key-alias-key* -keystore
*keystore.jks* -validity 365
Answer all question and password.
*2-* Include on pom.xml
<plugin>
<groupId>org.apache.netbeans.utilities</groupId>
<artifactId>nbm-maven-plugin</artifactId>
<version>4.7</version>
<extensions>true</extensions>
<configuration>
<author>Moacir da Roza Flores-moacirrf@gmail.com
</author>
<licenseName>GNU GENERAL PUBLIC LICENSE
3.0</licenseName>
<licenseFile>LICENSE</licenseFile>
* <keystore>${basedir}/keystore.jks</keystore>*
<!- is more safe don't use a password hardcoded, so use a variable -->
* <keystorepassword>${keypass}</keystorepassword>
<keystorealias>my-key-alias-key</keystorealias> *
</configuration>
</plugin>
*3- *Now build passing the password
*mvn -Dkeypass=password nbm:nbm*
Em seg., 30 de jan. de 2023 às 17:00, Moacir da Roza <mo...@gmail.com>
escreveu:
> I believe they need to be signed with a key included on keystore
>
> *1-* Use java key tool:
>
> keytool -genkey -keyalg RSA -alias my-key-alias-key -keystore keystore.jks
> -validity 365
>
>
> *2-* Include on pom.xml
> <plugin>
> <groupId>org.apache.netbeans.utilities</groupId>
> <artifactId>nbm-maven-plugin</artifactId>
> <version>4.7</version>
> <extensions>true</extensions>
> <configuration>
>
> <netbeansInstallation>${netbeansInstalationPath}</netbeansInstallation> -->
> <keystore>${basedir}/keystore.jks</keystore>
> <keystorepassword>${keypass}</keystorepassword>
> <keystorealias>my-key-alias-key</keystorealias>
>
> </configuration>
> </plugin>
> ....
>
> Em seg., 30 de jan. de 2023 às 15:03, Matthias Bläsing
> <mb...@doppel-helix.eu.invalid> escreveu:
>
>> Hi,
>>
>> I asked for reverification of three plugins. These plugins:
>>
>> - PlantUML-NB
>> - LDIF Editor
>> - LDAP Explorer
>>
>> are verified for NB 11.0/12.0 till NB 16 version. Nothing was changed
>> on the plugins for 17 and now the plugins are not good enough anymore.
>> So what is going on?
>>
>> They are rejected, because they are not signed, fine, but then why is
>> that an issue? The signatures gain you nothing as there is no trust
>> anchor, we don't distribute blocked author certificates and the
>> download from plugin portal is protected by the checksums.
>>
>> This is bogus, so what changed and why was this not communicated? I
>> assume, that I was not the only one suprised by this. What is more, I'd
>> need to do a full release cycle without any code changes, without any
>> benefit.
>>
>> Greetings
>>
>> Matthias
>>
>> PS: Jiří I added you to direct CC as I'm not sure how closely you
>> monitor dev@
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
>> For additional commands, e-mail: dev-help@netbeans.apache.org
>>
>> For further information about the NetBeans mailing lists, visit:
>> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>>
>>
>>
>>
>
> --
> Moacir R.F
> Desenvolvedor de Softwares
>
> https://www.moacirrf.com.br <http://www.moacirrf.com.br>
>
--
Moacir R.F
Desenvolvedor de Softwares
https://www.moacirrf.com.br <http://www.moacirrf.com.br>
Re: NetBeans Plugin Verification - Changing Rules - suddenly not good enough anymore
Posted by Neil C Smith <ne...@apache.org>.
On Mon, 30 Jan 2023 at 20:08, Matthias Bläsing
<mb...@doppel-helix.eu.invalid> wrote:
> yes, I know how I can sign JARs/NBMs, the point is: This was not
> necessary for multiple NetBeans releases. I'm missing the explanation
> why something, that was fine for at least 5, releases is now a problem.
>
> That communication did not happen and was not discussed here.
Welcome to the "verification process isn't working" side of the
conversation! :-)
Yes, this doesn't seem right. These things should be discussed on dev@
We're about to switch to the NB17 plugin portal for 17-rc3 (as agreed
with plugin portal verifiers off-list - so far we kept NB16 portal).
The more existing plugins that are verified the better. It's one way
of checking if we've introduced inadvertent changes in the IDE since
the last release.
IMO there are two main reasons a plugin that was verified for the last
release shouldn't be in this one. The plugin was using implementation
versions, in which case it shouldn't have been verified in the first
place. Or we broke backwards compatibility, deliberately or
inadvertently, and should consider the problem.
Other than that, if it was verified fine for 16 I don't see a reason
to apply different rules to 17?!
Best wishes,
Neil
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: NetBeans Plugin Verification - Changing Rules - suddenly not good enough anymore
Posted by Matthias Bläsing <mb...@doppel-helix.eu.INVALID>.
Hi,
yes, I know how I can sign JARs/NBMs, the point is: This was not
necessary for multiple NetBeans releases. I'm missing the explanation
why something, that was fine for at least 5, releases is now a problem.
That communication did not happen and was not discussed here.
Greetings
Matthias
Am Montag, dem 30.01.2023 um 17:00 -0300 schrieb Moacir da Roza:
> I believe they need to be signed with a key included on keystore
>
> *1-* Use java key tool:
>
> keytool -genkey -keyalg RSA -alias my-key-alias-key -keystore keystore.jks
> -validity 365
>
>
> *2-* Include on pom.xml
> <plugin>
> <groupId>org.apache.netbeans.utilities</groupId>
> <artifactId>nbm-maven-plugin</artifactId>
> <version>4.7</version>
> <extensions>true</extensions>
> <configuration>
>
> <netbeansInstallation>${netbeansInstalationPath}</netbeansInstallation> -->
> <keystore>${basedir}/keystore.jks</keystore>
> <keystorepassword>${keypass}</keystorepassword>
> <keystorealias>my-key-alias-key</keystorealias>
>
> </configuration>
> </plugin>
> ....
>
> Em seg., 30 de jan. de 2023 às 15:03, Matthias Bläsing
> <mb...@doppel-helix.eu.invalid> escreveu:
>
> > Hi,
> >
> > I asked for reverification of three plugins. These plugins:
> >
> > - PlantUML-NB
> > - LDIF Editor
> > - LDAP Explorer
> >
> > are verified for NB 11.0/12.0 till NB 16 version. Nothing was changed
> > on the plugins for 17 and now the plugins are not good enough anymore.
> > So what is going on?
> >
> > They are rejected, because they are not signed, fine, but then why is
> > that an issue? The signatures gain you nothing as there is no trust
> > anchor, we don't distribute blocked author certificates and the
> > download from plugin portal is protected by the checksums.
> >
> > This is bogus, so what changed and why was this not communicated? I
> > assume, that I was not the only one suprised by this. What is more, I'd
> > need to do a full release cycle without any code changes, without any
> > benefit.
> >
> > Greetings
> >
> > Matthias
> >
> > PS: Jiří I added you to direct CC as I'm not sure how closely you
> > monitor dev@
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> > For additional commands, e-mail: dev-help@netbeans.apache.org
> >
> > For further information about the NetBeans mailing lists, visit:
> > https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
> >
> >
> >
> >
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: NetBeans Plugin Verification - Changing Rules - suddenly not good enough anymore
Posted by Moacir da Roza <mo...@gmail.com>.
I believe they need to be signed with a key included on keystore
*1-* Use java key tool:
keytool -genkey -keyalg RSA -alias my-key-alias-key -keystore keystore.jks
-validity 365
*2-* Include on pom.xml
<plugin>
<groupId>org.apache.netbeans.utilities</groupId>
<artifactId>nbm-maven-plugin</artifactId>
<version>4.7</version>
<extensions>true</extensions>
<configuration>
<netbeansInstallation>${netbeansInstalationPath}</netbeansInstallation> -->
<keystore>${basedir}/keystore.jks</keystore>
<keystorepassword>${keypass}</keystorepassword>
<keystorealias>my-key-alias-key</keystorealias>
</configuration>
</plugin>
....
Em seg., 30 de jan. de 2023 às 15:03, Matthias Bläsing
<mb...@doppel-helix.eu.invalid> escreveu:
> Hi,
>
> I asked for reverification of three plugins. These plugins:
>
> - PlantUML-NB
> - LDIF Editor
> - LDAP Explorer
>
> are verified for NB 11.0/12.0 till NB 16 version. Nothing was changed
> on the plugins for 17 and now the plugins are not good enough anymore.
> So what is going on?
>
> They are rejected, because they are not signed, fine, but then why is
> that an issue? The signatures gain you nothing as there is no trust
> anchor, we don't distribute blocked author certificates and the
> download from plugin portal is protected by the checksums.
>
> This is bogus, so what changed and why was this not communicated? I
> assume, that I was not the only one suprised by this. What is more, I'd
> need to do a full release cycle without any code changes, without any
> benefit.
>
> Greetings
>
> Matthias
>
> PS: Jiří I added you to direct CC as I'm not sure how closely you
> monitor dev@
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> For additional commands, e-mail: dev-help@netbeans.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
>
--
Moacir R.F
Desenvolvedor de Softwares
https://www.moacirrf.com.br <http://www.moacirrf.com.br>