Comments (1)
Shuyinsama
commented on June 9, 2024
2
Seconded. Another issue is that the api key and secret for that specific user cannot be refreshed/deleted/invalidated from the dashboard.
Making it possible for someone with malicious intent to alter a plugin even if you would have changed the account password.
Making this, in my opinion, a high priority issue. (Unless I am missing something)
Depending on out security officer’s decision we might remove our plugin from the Gradle repo until this is resolved.
We are still looking into this since our AVG/GDPR certification does not specifically specify a scenario like this, but is definitely something we are considering.
As an example: NPM has a organization dashboard where you allow users to be added and removed. Allowing you to also revoke a users complete access.
They also use the users own username and password as verification during the publishing of a package and updates. An organizational unit can also define the required security rules, like two-factor auth to be used.
I realize gradle works a bit different of course
I've asked a similar question on the forums before knowing this repo/issue existed: https://discuss.gradle.org/t/plugins-clarification-how-do-we-handle-lost-stolen-publish-key-and-secret/34532
from plugin-portal-requests.
Related Issues (20)
- Remove io.github.propactive v1.0.0 and v1.0.1 HOT 5
- Resend activation email HOT 11
- Remove Plugin "com.dailystudio.devbricksx.devkit" HOT 2
- Transfer ownership of the io.wttech.habit plugin from habitwttech to the wttech account. HOT 1
- Outdated .meta/prefix.txt file in Gradle plugins maven repository HOT 1
- Prefer maven central over jcenter for fallback resolution HOT 2
- New plugins stuck in "Pending"
- Request to update tags for plugin `io.github.alexengrig.spring-banner`
- Cancel "Pending Approval" versions for io.github.propactive HOT 1
- Update description and tags on sonarlint plugin HOT 2
- Mirroring the Plugin Portal seems not possible due to redirections HOT 1
- Plugin portal redirects to JCenter but JCenter certificate is not vaild. HOT 1
- Request to change ownership for `io.github.frontrider.godle` HOT 4
- Make the plugin coordinates pom file include url and scm tags HOT 1
- Version Catalog code snippets
- Change mail address HOT 1
- Transfer `org.hidetake.ssh` HOT 5
- Please remove com.verificationgentleman.gradle.hdvl.* version v0.2.2 HOT 3
- Not authorised to write to org.jsonschema2pojo HOT 2
- gay.pizza project plugins HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from plugin-portal-requests.