Eclipse Zone
Did you know? DZone has great portals for Python, Cloud, NoSQL, and HTML5!

He is a entrepreneur and a software architect from Tel Aviv, Israel. He is also a technology freak with about 20 years experience working with computers. He is currently working on his first private initiative in the area of software development tools. His vision is to maximize the abilities of software developers by providing pragmatic tools that enable them to get fast results. Zviki has posted 36 posts at DZone. You can read more from them at their website. View Full User Profile

Do You Care About Code Signing When Installing an Eclipse Plugin?

05.11.2010
Email
Views: 2786
  • submit to reddit

The Eclipse eco-system is a fertile ground for developing plugins. There are about a 1000 plugins registered at the Eclipse Marketplace and there are probably a lot more in reality. Plugins come from all kind of sources. Like any other software, this leads to the usual threats of downloading software from the internet: viruses, malware, etc. Installing a plugin in your IDE, means handing over access to your source code to an external entity, so the risks are there.

One of the tools to deal with this threat is software signing. It is a lot like SSL: before you make a transaction, you want to know that the identity is certified and that the data is secured. Code signing provides this certification of authenticity, plus the ability to validate that the code was not modified or tampered.

When you install an unsigned plugin in Eclipse Galileo, you will be presented with the following warning:


Assuming you entered an update site URL from a supposedly legitimate web site, what would you do?

Published at DZone with permission of its author, Zviki Cohen.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)

Controlling complexity is the essence of computer programming.
— Brian Kernigan