Hi Holger,
Sorry for our late response. There will be an official announcement from the Product owner on our strategy for plugins, which I hope will come later for day.
As you know, we have a process for reviewing plugins. In Ready! API, what we do with the plugins after they have been approved is to add them to our repository. In SoapUI OS, where we don't have a repository or a GUI for installing plugins, what we do is to allow only signed plugins to work.
We've always reviewed community code contributions to the SoapUI project (Pull requests) and want to do something similar for plugins. One of the reasons is that we don't want people to accidentally load Ready! API plugins, which may fail in subtle ways.
In other words we will sign your plugin and other plugins like it. It's a great contribution, and we're grateful that you want to make it available to all SoapUI users.
I'll contact you privately to get the JAR file signed.
Regards,
Manne
Hi Manne,
i'm still looking forward to hear an "official announcement from the Product owner on our strategy for plugins". Any news about that?
Regards,
Holger
Regarding signing of plugins in SoapUI.
1) We welcome community written plugins for the new framework of SoapUI!
2) In SoapUI 5.2.1 and later we require plugins to be signed to run in the new plugin framework. The reason is to minimize the risk of loading plugins that don’t work as expected.
For example: Plugins written for the similar plugin framework in Ready!API might use the framework in ways not supported in SoapUI.
3) We will review plugins in a similar way as any code contribution to SoapUI, and after successful review the plugin will be enabled to run in the new framework.
4) We are aware that developers need a smooth review process that doesn't slow down iterative development of plugins, so we will work together with contributors to find a good process.
Kind regards,
Matti Hjelm, PO SoapUI
Rather than requiring that the plugins be signed, to be more open source and development friendly, could you add a dialog to explicitly allow/deny each unsigned plugin? And perhaps a command line argument to disable the checking?
I completely agree, I think it would be a nicer approach if the plugin signature check was an option under SoapUI preferences. Signature checking could always be enabled by default to cater for the original intent of the check, but making it optional would then at least allow users who are prepared to accept plugins at their own risk to do so e.g. check box 'only allow Smartbear signed plugins'
