Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: removed sign certificate #709

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: removed sign certificate #709

wants to merge 1 commit into from

Conversation

sbansla
Copy link
Contributor

@sbansla sbansla commented Oct 19, 2023

Fixes

Disabling package sign.

Checklist

  • I acknowledge that all my contributions will be made under the project's license
  • I have made a material change to the repo (functionality, testing, spelling, grammar)
  • I have read the Contribution Guidelines and my PR follows them
  • I have titled the PR appropriately
  • I have updated my branch with the main branch
  • I have added tests that prove my fix is effective or that my feature works
  • I have added the necessary documentation about the functionality in the appropriate .md file
  • I have added inline documentation to the code I modified

If you have questions, please file a support ticket, or create a GitHub Issue in this repository.

AsabuHere
AsabuHere reviewed Oct 19, 2023
View reviewed changes
Copy link
Contributor

@AsabuHere AsabuHere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Package signing cannot be removed as it cause security issues

@sonarcloud
Copy link

sonarcloud bot commented Oct 19, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

warning The version of Java (11.0.20.1) you have used to run this analysis is deprecated and we will stop accepting it soon. Please update to at least Java 17.
Read more here

@sbansla
Copy link
Contributor Author

sbansla commented Nov 2, 2023
edited

Package signing cannot be removed as it cause security issues

Hi, I am wondering how customer is getting benefit from this feature.
I am in favour of signing of certificate when customer is able to validate with some key or some other way that package they have downloaded is from Twilio, But I am having difficulties in understanding how current signing is benefiting customer and how customer is using this feature.

@AsabuHere
Copy link
Contributor

Package signing cannot be removed as it cause security issues

Hi, I am wondering how customer is getting benefit from this feature. I am in favour of signing of certificate when customer is able to validate with some key or some other way that package they have downloaded is from Twilio, But I am having difficulties in understanding how current signing is benefiting customer and how customer is using this feature.

I think we already discussed this is the call regarding this PR. You can check microsoft nuget signing documents for information on how to validate this from customer end. But we implemented this feature before, since we figured out that security vulnerabilities are there where other parties can publish packages pretending they are from Twilio. I believe it is not good to remove signing at this point. Since we took efforts on implementing this once, and this adds security, lets keep this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AsabuHere AsabuHere AsabuHere left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sbansla @AsabuHere