|Re: [eclipse.org-planning-council] Future of Jarsigning requirement|
I think the direction is good, but there is a but.
1) -0.5 At this point, I don't think we should approve changes to the requirements for the current release cycle but rather indicate that we intend to do so for the next release cycle, with the caveat that the current release will release with a fully-functional, properly-vetted implementation of the proposed PGP approach. Why? Because a great many people update their installation from the previous release to the latest release if not broken by https://bugs.eclipse.org/bugs/show_bug.cgi?id=576506 on Windows. If those people see warnings about unsigned content they'll be rightly concerned. Of course I do not know the current state of the 2021--09 PGP implementation and few of us do. Maybe it's already fully functional in 2021-09 without security flaws. But, based on lack of details on this front, I personally will not give this a +1.
2) Of course -1 for this unless there is a +1 for 1).
3) +1 We should ask for a review of the PGP proposal and its current released implementation in 2021-09.
4) +1 Note though that whatever is done here impacts the installer and that falls on me personally to resolve. The installer has "extended" p2 in rather invasive non-API ways (because p2 has so few APIs). The installer can remember the licenses (SUAs) the user has agreed to, can remember that the user is okay with unsigned content, and can remember certificates. These are important usability concerns. All this is easily broken by the platform and when that happens a lot of righteous finger pointing ensues. So all such work ends up not just being thankless, but really unpleasantly thankless, and that's something I wish we, as a team, will avoid.
On 13.10.2021 20:33, Jonah Graham wrote:
We had a fairly productive meeting on Wednesday with regards to the future of the Jarsigning requirement.
The current signing requirement is defined as follows in the simrel requirements:
Projects must use signed plugins and features using the Eclipse certificate.
[added 12/2015, for Neon]. Note: If a jar is already signed by the Eclipse certificate, then it must not be re-signed by projects for the release train.
And the handbook says:
_______________________________________________ eclipse.org-planning-council mailing list eclipse.org-planning-council@xxxxxxxxxxx To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-planning-council
eclipse.org-planning-council mailing list
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-planning-council
Back to the top