Please sign releases #1

ben-willow · 2015-04-10T02:17:59Z

Please sign each release, so we can know provenance of future releases, and help protect against malicious updates.

paulvi · 2015-09-01T07:55:27Z

@ben-willow
Can you point to any case of malicious updates ?

bekopharm · 2015-09-22T13:31:44Z

It's common sense to install only signed packages. I may even be company policy and would increase acceptance. Don't wait for a malicious update to happen. Prevent it in the first place.

paulvi · 2015-09-22T15:30:16Z

For non Eclipse foundation plugins, I know only @jeeeyul Lee signing.

And that only creates additional questions asked to user
(while for Eclipse signed binaries there's no question asked)

ncjones · 2015-09-22T19:57:19Z

I agree this is common sense but I am unsure how to implement it. I've read through https://wiki.eclipse.org/JAR_Signing but this does not provide any advice for 3rd-party plugin authors. Nor did I find any advice when quickly searching through "Mastering Eclipse Plug-in Development" and "Eclipse Plug-ins, Third Edition". Any advice on how this should work?

paulvi · 2015-09-23T03:44:30Z

@ncjones Nathan, you can ask @jeeeyul

but I would suggest not to spend time on this

cniweb · 2017-02-16T19:34:16Z

+1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Please sign releases #1

Please sign releases #1

ben-willow commented Apr 10, 2015

paulvi commented Sep 1, 2015

bekopharm commented Sep 22, 2015

paulvi commented Sep 22, 2015

ncjones commented Sep 22, 2015

paulvi commented Sep 23, 2015

cniweb commented Feb 16, 2017

Please sign releases #1

Please sign releases #1

Comments

ben-willow commented Apr 10, 2015

paulvi commented Sep 1, 2015

bekopharm commented Sep 22, 2015

paulvi commented Sep 22, 2015

ncjones commented Sep 22, 2015

paulvi commented Sep 23, 2015

cniweb commented Feb 16, 2017