Which is less secure:
- preventing the application of security patches?
- not having signed assemblies?
How much would you pay to update an assembly that was previously signed?
If you don't pay, you can't update that assembly.
You can release another version (with a different name), but existing users won't get a notification of an available update.
For "reasons", I previously signed the libraries I released through NuGet and the extensions I released through the Visual Studio Marketplace.
The cost to renew my code signing certificate this year was over $800. This is more than I want or have to spend on this. (Especially given the quality of the support they provide. or not.)
Microsoft offer an alternative at a reasonable price, but it's only available to companies registered in the USA or Canada. I'm not, so that's no help.
NuGet makes it possible to release unsigned updates to previously signed packages. So, that's good.
Sadly, Visual Studio does not. I even asked very nicely. However, I was told that for security reasons, they do not allow this.
I guess the consequences of extensions not getting updated to address security threats or security vulnerabilities in their dependencies aren't a problem.
If they didn't allow the uploading and distribution of unsigned extensions it wouldn't be such an issue. But, because I was previously trying to be good and sign things on the basis that it was better for security, I (and anyone wanting updates) suffer now.
Unless someone wants to sponsor me enough to cover the cost of a certificate, the 50 extensions I have in the marketplace will never be updated. If you're waiting on a fix (or a security update), I'm not sure what to tell you.
I'm still wondering what to do. Hopefully, I'll have an announcement in the coming weeks...
0 comments:
Post a Comment
I get a lot of comment spam :( - moderation may take a while.