|Re: [eclipse.org-planning-council] Future of Jarsigning requirement|
I think the direction is good, but there is a but.
1) -0.5 At this point, I don't think we should approve changes
to the requirements for the current release cycle but rather
indicate that we intend to do so for the next release cycle, with
the caveat that the current release will release with a
fully-functional, properly-vetted implementation of the proposed
PGP approach. Why? Because a great many people update their
installation from the previous release to the latest release if
not broken by
https://bugs.eclipse.org/bugs/show_bug.cgi?id=576506 on Windows.
If those people see warnings about unsigned content they'll be
rightly concerned. Of course I do not know the current state of
the 2021--09 PGP implementation and few of us do. Maybe it's
already fully functional in 2021-09 without security flaws. But,
based on lack of details on this front, I personally will not give
this a +1.
2) Of course -1 for this unless there is a +1 for 1).
3) +1 We should ask for a review of the PGP proposal and its current released implementation in 2021-09.
4) +1 Note though that whatever is done here impacts the
installer and that falls on me personally to resolve. The
installer has "extended" p2 in rather invasive non-API ways
(because p2 has so few APIs). The installer can remember the
licenses (SUAs) the user has agreed to, can remember that the user
is okay with unsigned content, and can remember certificates.
These are important usability concerns. All this is easily broken
by the platform and when that happens a lot of righteous finger
pointing ensues. So all such work ends up not just being
thankless, but really unpleasantly thankless, and that's something
I wish we, as a team, will avoid.
We had a fairly productive meeting on Wednesday with regards to the future of the Jarsigning requirement.
The current signing requirement is defined as follows in the simrel requirements:
_______________________________________________ eclipse.org-planning-council mailing list eclipse.org-planning-council@xxxxxxxxxxx To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-planning-council
Back to the top