paulvi
commented
9 years ago @ben-willow Can you point to any case of malicious updates ?
Open ben-willow opened 9 years ago
paulvi
commented
9 years ago @ben-willow Can you point to any case of malicious updates ?
bekopharm
commented
9 years ago It's common sense to install only signed packages. I may even be company policy and would increase acceptance. Don't wait for a malicious update to happen. Prevent it in the first place.
paulvi
commented
9 years ago For non Eclipse foundation plugins, I know only @jeeeyul Lee signing.
And that only creates additional questions asked to user (while for Eclipse signed binaries there's no question asked)
ncjones
commented
9 years ago I agree this is common sense but I am unsure how to implement it. I've read through https://wiki.eclipse.org/JAR_Signing but this does not provide any advice for 3rd-party plugin authors. Nor did I find any advice when quickly searching through "Mastering Eclipse Plug-in Development" and "Eclipse Plug-ins, Third Edition". Any advice on how this should work?
paulvi
commented
9 years ago @ncjones Nathan, you can ask @jeeeyul
but I would suggest not to spend time on this
cniweb
commented
7 years ago +1
Please sign each release, so we can know provenance of future releases, and help protect against malicious updates.