As part of the release of Notation 1.0.0 we need to document the security best practices to develop plugins for Notation. We should explain more into details how the communication between the Notation CLI and the plugin is handled and how plugin developers can verify that they communicate with a legit Notation installation. Also, we should document the best practices to publish plugins to customers can verify the authenticity o9f the plugin (related to #225).

Per discussed in the community meeting on May 29. The minimal work we need to do for v1 release is to create a new document of "security best practices for plugin development" on website to cover two parts

• The best practice of following the plugin metadata design as explained in the plugin spec
• how to publish the plugin securely

@zr-msft do you think this information is enough for you to get started

/cc @toddysm and @FeynmanZhou

Thank you @yizha1

I need to read through the spec and see what i can put together based on that information.

I'll follow up today and let you know what i think.

@yizha1 There are a few things i can derive from the spec. I'll put together a PR, but the doc will be very sparse and will require lots of input from the team.