Do you know what code signing is?
Here's a definition from Wikipedia: "Code signing can provide several valuable features. The most common use of code signing is to provide security when deploying; in some languages, it can also be used to help prevent namespace conflicts. Almost every code signing implementation will provide some sort of digital signature mechanism to verify the identity of the author or build system, and a checksum to verify that the object has not been modified. It can also be used to provide versioning information about an object or to store other meta data about an object."
In Java, JARs can be signed using a certificate. Much like SSL, you need to buy those certificates. However, these certificates are more expensive, starting at about $200 per year. Although it is not a lot of money, I'm having a hard time justifying the efforts involved.
The knowledgeable reader might say that this is a major issue in large corporate environments. Just to demonstrate: Eclipse 3.3 warned the user when installing unsigned plugins. In Eclipse 3.4, this warning was completely gone. Poof. Vanished. Yet, Eclipse 3.4 was used in large corporate environments. Fear not, the warning was back in Eclipse 3.5, after someone cared enough (read: was ****** enough) to open a bug about it (if you wonder who, you can look it up).
So, should I sign my Eclipse plugin? Do you care about signing? Let me know, vote in the poll I posted on EclipseZone.
