Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Checksums on Atlassian Marketplace Plugins

Amos
Amos July 9, 2023

Good morning/afternoon all,

I just wanted to put it out there that a new feature request (specifically for Jira DC, however this should apply to all plugins) has been put forward to get checksums in place for plugins downloaded via the marketplace. See below (and I highly recommend watching/voting on this issue to draw attention to this issue):

The purpose of a checksum is to ensure that there is a trusted supply chain of development through to distribution of built image/plugins and minimize the likelihood of an untrusted image being installed that could have been tampered with. For more information, please refer to some additional references below:

Comment
Watch
Like # people like this
850 views

4 comments

Comment

Log in or Sign up to comment
Zac Boyd
Zac Boyd July 9, 2023

Seems like a really import security risk that should be addressed!

Like # people like this
Reply
Jim Cupples
Jim Cupples July 10, 2023

I completely agree with this request.  Are there similar requests for the other Atlassian DC applications?  ie, Confluence, Bitbucket, Bamboo, Crowd

Like
Reply
John Dunkelberg
John Dunkelberg July 10, 2023

That's interesting - this kind of thing was standard when I was at a previous firm who developed data center tools over a decade ago.  I've never been a Jira system admin but I guess I would have thought this was long-since a standard here too, so I'm surprised a bit on this unless there is some other mechanism that Atlassian is assuring through the Marketplace itself?

Like
Reply
Metin Savignano
Metin Savignano July 17, 2023

I second this, but perhaps it needs to be made optional.

Our app has signed checksums and does a self-check upon startup, which we think is important, but for some customers, that has the downside that they cannot modify anything in the app. For example, some customers would like to modify a built-in template. 

Like Zac Boyd likes this
Reply
groups-icon
Data Center
TAGS
AUG Leaders

Atlassian Community Events

    See all events