I am not stating this plugin is malicious, but given the increasing problems with 3rd party/supply chain vulnerabilities, the fact that this user has made their profile private and hidden/removed the plugin repository from public view is questionable. Especially given the plugins intent is to scan your entire database structure.
Does it make sense to offer a plugin via the plugin portal if the source code for it is not publicly visible?
Gradle itself also does that with the Develocity plugin, they even obfuscate the code of the plugin.
So actually I personally do not see any reason to not allow providing a closed source plugin.
It could also be some plugin that some company is selling usage licenses for and that only works if there is a license key provided somehow or similar.
I’m not aware of any rule that mandates plugins have to be open-source.
Well, there is this section on https://plugins.gradle.org/docs/publish-plugin:
Plugins should ideally be open-source, unless there is a good reason to do otherwise. Proprietary plugin authors should reach out to us.
It makes sense for commercial plugins as there is a dramatically different set of expectations there, and I presume greater legal ramifications if a company were selling/distributing a plugin with malicious intent. But for something that is free and where the author is effectively anonymous, it feels like there should be some sort of safeguards in place.
It’s also subsequently lacking any form of documentation, which is listed as a requirement in the publish plugin docs.
Obviously NPM is the 800lb gorilla in the room in regards to distributing packages, but as a result they’ve learned of how frequent malicious attacks happen and now have (at least some) safeguards in place.
I’m sure Gradle doesn’t want to get into the business of code scanning every plugin uploaded, but there should be some bare minimum threshold, and exposing the code for non-commercial plugins seems the easiest. Otherwise it’s only a matter of time before someone creates a plugin, gets enough users, hides the repo, and pushes a new version out to unsuspecting users with malicious intent.
Yeah, as I said, your points are quite valid.
Here is just not the optimal place to address them, as the Gradle folks not necessarily check here regularly.