geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erin Mulder <me...@alumni.princeton.edu>
Subject Re: Questions about www.geronimoplugins.com site
Date Tue, 02 May 2006 16:44:45 GMT
Dain Sundstrom wrote:
> Isn't there a bigger security concern here?  Say some guy shows up and
> says he is from organization X and wants to add the latest XSoft
> application to the index.... get my point?

Regardless of where things are hosted, I think it would be nice to
eventually be able to support plugins signed with X.509** certificates
so that people can verify the authenticity of signed plugins and
knowingly accept risk when they install an unsigned plugin.

For the first release though, a warning on the plugin page ought to
suffice.  I think it's important to get the technology out there and
start getting feedback, inspiring plugin developers, etc.

Cheers,
Erin

**I am a fan of GPG/PGP, but it's more tedious / less useful than
centralized PKI for most users who haven't established a strong web of
trust.

Mime
View raw message