Sorry for our late response. There will be an official announcement from the Product owner on our strategy for plugins, which I hope will come later for day.
As you know, we have a process for reviewing plugins. In Ready! API, what we do with the plugins after they have been approved is to add them to our repository. In SoapUI OS, where we don't have a repository or a GUI for installing plugins, what we do is to allow only signed plugins to work.
We've always reviewed community code contributions to the SoapUI project (Pull requests) and want to do something similar for plugins. One of the reasons is that we don't want people to accidentally load Ready! API plugins, which may fail in subtle ways.
In other words we will sign your plugin and other plugins like it. It's a great contribution, and we're grateful that you want to make it available to all SoapUI users.
I'll contact you privately to get the JAR file signed.
well, i understand the intention to sign plug-ins. But the solution is not very well crafted.
At first there must be a way for developers to test their code. I see three ways to solve this:
1. without signing
2. by signing with a self-signed certificate like Android development does it (opt-in by the user thru UI dialog)
3. by signing with a developer certificate signed by Smartbear like Apple development does it
At second there should be a documented and working process how to get a plug-in reviewed and signed for production.
Both points require a medum to large infrastructure and management effort backed by tools and staff.
Are you aware of this?
I agree it's very ad-hoc at the moment and that we have to improve.
Your suggestions seem very sensible to me, but we have to discuss them before I can tell you how we will evolve this.
Please bear with us!
Good to hear some positive intent in this area, look forward to hearing more on the strategy 🙂
The idea of signing plugins could be a positive thing if used as a means of official endorsement by smartbear. For example, following acceptance and signing by smartbear, possiblity a little badge / icon could be shown somewhere e.g. 'Smart Bear Approved Plugin' - this might then be seem as an incentive for developers, like a kind of certification or trophy.
Unlike Holger & Rao, I have not yet invested any hard work / personal time in developing any plugins yet, but have set aside plenty of ideas and hope to start soon - however, I would like to echo the concerns that (again maybe just my views):
a) Having to hack arround any certificate check when developing plugins would be off putting - the development cycle should be made easy and people should maybe not be forced to have any plugins officially approved before they can be used (in the spirit of open source contribution).
b) There would seem little point developing plugins if it went against Smart Bear's longer term intent / strategy, plus the open source sentiment wouldn't be there if O/S plugins were effectively censored or closed off.
At the end of the day SoapUI is a great open source product with a great community of skilled people helping just because they want to contribute / help, so hopefully there will be some good news coming on the future of O/S SoapUI plugins! 🙂
i'm still looking forward to hear an "official announcement from the Product owner on our strategy for plugins". Any news about that?
Regarding signing of plugins in SoapUI.
1) We welcome community written plugins for the new framework of SoapUI!
2) In SoapUI 5.2.1 and later we require plugins to be signed to run in the new plugin framework. The reason is to minimize the risk of loading plugins that don’t work as expected.
For example: Plugins written for the similar plugin framework in Ready!API might use the framework in ways not supported in SoapUI.
3) We will review plugins in a similar way as any code contribution to SoapUI, and after successful review the plugin will be enabled to run in the new framework.
4) We are aware that developers need a smooth review process that doesn't slow down iterative development of plugins, so we will work together with contributors to find a good process.
Matti Hjelm, PO SoapUI
Rather than requiring that the plugins be signed, to be more open source and development friendly, could you add a dialog to explicitly allow/deny each unsigned plugin? And perhaps a command line argument to disable the checking?
I completely agree, I think it would be a nicer approach if the plugin signature check was an option under SoapUI preferences. Signature checking could always be enabled by default to cater for the original intent of the check, but making it optional would then at least allow users who are prepared to accept plugins at their own risk to do so e.g. check box 'only allow Smartbear signed plugins'
I just wanted to say that your plugin is amazing, unfortunately I can't use your latest release since SmartBear has not signed it yet. Do you have plans on requesting the signature? Jailbreak doesn't work anymore.