Interesting--the daily builds are still working on the original site and are producing builds, which seem to have differences between them:
http://bits.netbeans.org/download/trunk/nightly/latest/ <http://bits.netbeans.org/download/trunk/nightly/latest/> Should these be shut down? > On Sep 6, 2017, at 2:37 AM, Geertjan Wielenga > <[email protected]> wrote: > > Please understand that there are no development builds yet for Apache > NetBeans. There is no code yet in the Apache NetBeans repo and hence no > builds at all. > > Thanks, > > Gj > > On Wed, 6 Sep 2017 at 01:06, Alvin Thompson <[email protected]> wrote: > >> Currently on macOS, trying to install the development builds by >> double-clicking on the installer results in an error, because the installer >> is not signed. To continue, you must bypass this error by right-clicking on >> the installer and selecting "open" from the menu, and confirm that you want >> to run an app from an untrusted source. The downside is that without the >> signature there's no way to know if the installer was altered or replaced. >> >> The development builds used to be signed, and they probably should still >> be signed since the installer requires 'root'-like privileges on macOS, and >> prompts you for an admin password to continue. >> >> Once admin access is granted, the installer can do anything to the system, >> therefore the installer should be signed (they used to be). Currently users >> are getting used to allowing an installer--that could be altered or >> replaced by an attacker--root access to their system, simply because it is >> named "NetBeans" and they trust the name. Bad! >> >> I called this a "reminder" because I assumed that this issue had been >> brought up previously. The build used to be broken because it no longer has >> access to Oracle's key for signing. Someone "fixed" this by changing the >> build to not sign the installer. >> >> -Alvin >> >> >>> On Sep 5, 2017, at 6:07 PM, Geertjan Wielenga < >> [email protected]> wrote: >>> >>> Not sure about the reminder part -- can you point to an issue that you're >>> referring to here and a way to reproduce or somehow reproduce this? >>> >>> Gj >>> >>> On Tue, Sep 5, 2017 at 10:48 PM, Alvin Thompson <[email protected] >>> >>> wrote: >>> >>>> I figure I'd write an annoying reminder that currently the installer (at >>>> least on macOS) requires admin privileges, but is not signed. This >> provides >>>> an inviting target for someone to alter the installer with malicious >>>> content, especially since the NetBeans brand enjoys a high "trust" >> factor >>>> so many developers will not think twice about installing it. If a trojan >>>> can happen in Apple's Xcode, it can happen here. Let's not get people >> used >>>> to trusting an unsigned NetBeans installer. >>>> >>>> Is there any chance we can get these things signed again? >>>> >>>> -Alvin >>>> >>>> >> >>
