Because 3 days is probably the upper end of a completely normal absence from Sponge due to lack of time or interest or whatever. And the security benefit is someone can’t upload some random key to your account post-hacking and immediately start signing and distributing plugins from a trusted source. It’s not a long wait by any metric of security.
This is like asking why you need ownership paperwork to hire a locksmith. It’s inconvenient to gather it, especially while locked out, but you’d much rather it be required than otherwise, and the whole thing is avoided if you don’t lose your keys.
Could we just have it disabled. If someone seriously wanted to compromise someone’s account and upload a virus plugin, they’re going to just change the GPG key anyway. All it really will do is inconvience developers rather than protecting from the false threat of hackers at the moment. And yes, if we have 2FA we shouldn’t have to do the GPG file crap because honestly it’s a pain to do, especially since you have to keep track of your master file
Yeah… that’s not a good thing. Your private key is supposed to be one of the most important things you maintain on your computer. ;)[quote=“codeHusky, post:5, topic:18782”]
it’s a pain to do
Since I set it up once, it’s easy for me to build any plugins. I just add the maven-gpg-plugin and away it goes! No additional effort. First time setup took very little time as well, so that’s a perk.
… as opposed to “screw you figure it out yourself on sponge’s website”? Projects use their own documentation - why would Sponge copy and paste documentation to their website when they can just as easily link you to the relevant, actively updated one maintained by the creators? There’s nothing special about a ‘sponge’ project, it’s just a regular project, fully within the use cases of both.
For zero configuration, try flavor.pie.promptsign on Gradle.
But still, it’s not a “regular” thing to be doing when you’re building a plugin so not everyone’s going to figure out how to get that plugin even working properly from a page on an external website. It’s usually helpful to have your own locally hosted tutorials for that kind of thing, even if it’s really close to the other site