[Koha-bugs] [Bug 24632] Plugins should support simple signing for security/varifiability
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Apr 16 09:36:34 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24632
David Cook <dcook at prosentient.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dcook at prosentient.com.au
--- Comment #2 from David Cook <dcook at prosentient.com.au> ---
I one hundred percent agree with you, Martin.
I figure Koha developers sign Koha plugins using a private GPG key, and then
provide a public GPG key for *someone* to import into Koha.
Personally, I'd prefer if the list of public GPG keys was maintained by a Linux
sysadmin for maximum control, but I know that's potentially not useful for many
target users of Koha plugins. (Maybe a compromise would be to have a web
interface by default and then have an option to deactivate that and use a CLI
tool instead for vendors?)
In terms of specific interfaces... I'm going to look to see how Apt manages it
in a user-friendly fashion (ie not requiring users to specify which key to use
to verify which file).
In any case, I think we have to have some system for signing and verifying
plugins. From a vendor point of view, it would increase my confidence in the
plugin system as a whole.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list