svn commit: r24200 - in /dev/incubator/netbeans: incubating-netbeans-java/incubating-9.0-beta-rc2/ incubating-netbeans-platform/incubating-9.0-beta-rc2/

2018-01-14 Thread jlahoda 
Author: jlahoda
Date: Sun Jan 14 22:16:12 2018
New Revision: 24200

Log:
Apache NetBeans 9.0-beta RC2.

Added:
dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/

dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip
   (with props)

dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.asc

dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.md5

dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.sha1

dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-source.zip
   (with props)

dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-source.zip.asc

dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-source.zip.md5

dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-source.zip.sha1
dev/incubator/netbeans/incubating-netbeans-platform/incubating-9.0-beta-rc2/

dev/incubator/netbeans/incubating-netbeans-platform/incubating-9.0-beta-rc2/incubating-netbeans-platform-9.0-beta-bin.zip
   (with props)

dev/incubator/netbeans/incubating-netbeans-platform/incubating-9.0-beta-rc2/incubating-netbeans-platform-9.0-beta-bin.zip.asc

dev/incubator/netbeans/incubating-netbeans-platform/incubating-9.0-beta-rc2/incubating-netbeans-platform-9.0-beta-bin.zip.md5

dev/incubator/netbeans/incubating-netbeans-platform/incubating-9.0-beta-rc2/incubating-netbeans-platform-9.0-beta-bin.zip.sha1

dev/incubator/netbeans/incubating-netbeans-platform/incubating-9.0-beta-rc2/incubating-netbeans-platform-9.0-beta-source.zip
   (with props)

dev/incubator/netbeans/incubating-netbeans-platform/incubating-9.0-beta-rc2/incubating-netbeans-platform-9.0-beta-source.zip.asc

dev/incubator/netbeans/incubating-netbeans-platform/incubating-9.0-beta-rc2/incubating-netbeans-platform-9.0-beta-source.zip.md5

dev/incubator/netbeans/incubating-netbeans-platform/incubating-9.0-beta-rc2/incubating-netbeans-platform-9.0-beta-source.zip.sha1

Added: 
dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip
==
Binary file - no diff available.

Propchange: 
dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip
--
svn:mime-type = application/octet-stream

Added: 
dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.asc
==
--- 
dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.asc
 (added)
+++ 
dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.asc
 Sun Jan 14 22:16:12 2018
@@ -0,0 +1,17 @@
+-BEGIN PGP SIGNATURE-
+Version: GnuPG v1
+
+iQIcBAABAgAGBQJaW9MOAAoJELTBlA/qk2TxcTEP/AtA5lYvBk8sFwjN9qM6YP3T
+3pHVL0x6dv0kmqUs2zTatAlg2HGHQxA4Tn9+OGgJwkBnnjhqsRKm1qxsbWbBBpOI
+/40vYpY9mo0dNZFVW52g7HpyMcZowgiWPQIvPl/nE10PGjOZ05+Qz08hqUhYzA0A
+u86qsVSnGp3YMATf25BrnR0NaI4tPyovHFEKTT3tQna22vS1VC6RFZboW7sLi9re
+P6EBqzPXNARTKs20/Z+ww36svpKr9ie5lCIGBQgI7D7dvJu9x1k4HB8GYAecowQb
+eNq7mU0sS4/MRHGjLt7yY8Eufxsk9YJ57MXk0SlbIrfKDWDRDDrmzbo7l74I/RsL
+ErFfsuOUt5DbtuLqSAGRxX2Mp1nG0CVEPq9In0vY8zYkHyPJixTLycWYdgR5ssTG
+xwAb3C3+HOjW1v5Ff/D4YhtNNE9YC8b319iGm7kpek/0izZvfMMHCalWLLG12H0h
+L53wthX5BKxmJiWhrwLWswux/945Z1aBXEJa0XNdoNBYVg5LLYvALKHnGTbRzoW/
+C0ZESBZaYsTXZTAfFVZrGRYpUwVeqFCXua4j7P2uexLaw96Zu566cCl0Mc7jSeXU
+DDRygT8dJzhX6ywiPKiYjZVruKthlRYiLZwGlzbb7WhZriLIMFkwzh63qBCst+QW
+OSoYz3Nw3ZZ4CKODGhek
+=5p6f
+-END PGP SIGNATURE-

Added: 
dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.md5
==
--- 
dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.md5
 (added)
+++ 
dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.md5
 Sun Jan 14 22:16:12 2018
@@ -0,0 +1 @@
+c8797937fe984221d09dee0d55bf9743  incubating-netbeans-java-9.0-beta-bin.zip

Added: 
dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.sha1
==
---

[jira] [Created] (NETBEANS-282) UnsatisfiedLinkError trying to open browser

2018-01-14 Thread Gili (JIRA) 
Gili created NETBEANS-282:
-

 Summary: UnsatisfiedLinkError trying to open browser
 Key: NETBEANS-282
 URL: https://issues.apache.org/jira/browse/NETBEANS-282
 Project: NetBeans
  Issue Type: Bug
 Environment: Product Version: Apache NetBeans IDE Dev (Build 
20180106-unknown-revn)
Updates: Updates available
Java: 9.0.1; Java HotSpot(TM) 64-Bit Server VM 9.0.1+11
Runtime: Java(TM) SE Runtime Environment 9.0.1+11
System: Windows 10 version 10.0 running on amd64; Cp1252; en_CA (nb)
User directory: C:\Users\Gili\AppData\Roaming\NetBeans\dev
Cache directory: C:\Users\Gili\AppData\Local\NetBeans\Cache\dev
Reporter: Gili


1. CTRL+LMB on a link inside a Java file.
2. Exception thrown:

{code}
java.lang.UnsatisfiedLinkError: no extbrowser64 in java.library.path
at java.base/java.lang.ClassLoader.loadLibrary(ClassLoader.java:2541)
at java.base/java.lang.Runtime.loadLibrary0(Runtime.java:873)
at java.base/java.lang.System.loadLibrary(System.java:1857)
at 
org.netbeans.modules.extbrowser.NbDdeBrowserImpl.(NbDdeBrowserImpl.java:82)
at 
org.netbeans.modules.extbrowser.SystemDefaultBrowser.createHtmlBrowserImpl(SystemDefaultBrowser.java:94)
at 
org.netbeans.core.NbURLDisplayer.warmBrowserUp(NbURLDisplayer.java:100)
at org.netbeans.core.NbURLDisplayer.access$000(NbURLDisplayer.java:47)
at org.netbeans.core.NbURLDisplayer$1.run(NbURLDisplayer.java:59)
at 
org.openide.util.RequestProcessor$Task.run(RequestProcessor.java:1418)
at 
org.netbeans.modules.openide.util.GlobalLookup.execute(GlobalLookup.java:45)
at org.openide.util.lookup.Lookups.executeWith(Lookups.java:278)
at 
org.openide.util.RequestProcessor$Processor.run(RequestProcessor.java:2033)
Caused: org.openide.util.RequestProcessor$SlowItem: task failed due to
at org.openide.util.RequestProcessor.post(RequestProcessor.java:395)
at org.netbeans.core.NbURLDisplayer.showURL(NbURLDisplayer.java:55)
at 
org.netbeans.modules.editor.url.HyperlinkImpl.performClickAction(HyperlinkImpl.java:105)
at 
org.netbeans.lib.editor.hyperlink.HyperlinkOperation.performAction(HyperlinkOperation.java:249)
at 
org.netbeans.lib.editor.hyperlink.HyperlinkOperation.mouseClicked(HyperlinkOperation.java:422)
at 
java.desktop/java.awt.AWTEventMulticaster.mouseClicked(AWTEventMulticaster.java:278)
at 
java.desktop/java.awt.AWTEventMulticaster.mouseClicked(AWTEventMulticaster.java:277)
at 
java.desktop/java.awt.Component.processMouseEvent(Component.java:6581)
at 
java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3343)
at java.desktop/java.awt.Component.processEvent(Component.java:6343)
at java.desktop/java.awt.Container.processEvent(Container.java:2259)
at 
java.desktop/java.awt.Component.dispatchEventImpl(Component.java:4961)
at 
java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2317)
at java.desktop/java.awt.Component.dispatchEvent(Component.java:4793)
at 
java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4904)
at 
java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4548)
at 
java.desktop/java.awt.LightweightDispatcher.dispatchEvent(Container.java:4480)
at 
java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2303)
at java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2758)
at java.desktop/java.awt.Component.dispatchEvent(Component.java:4793)
at 
java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:766)
at java.desktop/java.awt.EventQueue.access$500(EventQueue.java:97)
at java.desktop/java.awt.EventQueue$3.run(EventQueue.java:717)
at java.desktop/java.awt.EventQueue$3.run(EventQueue.java:711)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at 
java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:89)
at 
java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:99)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:739)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:737)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at 
java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:89)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:736)
at 
org.netbeans.core.TimableEventQueue.dispatchEvent(TimableEventQueue.java:136)
at 
java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:199)
at

[incubator-netbeans] branch master updated: [NETBEANS-281] Add ASF license template (#367)

2018-01-14 Thread junichi11 
This is an automated email from the ASF dual-hosted git repository.

junichi11 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-netbeans.git


The following commit(s) were added to refs/heads/master by this push:
 new d23e386  [NETBEANS-281] Add ASF license template (#367)
d23e386 is described below

commit d23e386c221cf689d65b1c2a1711b9e81c45d907
Author: lbruun <32431476+lbr...@users.noreply.github.com>
AuthorDate: Sun Jan 14 15:15:10 2018 +0100

[NETBEANS-281] Add ASF license template (#367)

* [NETBEANS-281] Merge with PR174
Merge the idea in PR174 into this change.
---
 .../apisupport/project/queries/TemplateAttributesProvider.java   | 2 +-
 .../src/org/netbeans/modules/apisupport/project/resources/layer.xml  | 5 -
 .../src/org/netbeans/modules/apisupport/project/ui/Bundle.properties | 1 -
 dlight.nativeexecution/nbproject/project.properties  | 2 +-
 .../netbeans/modules/project/ui/resources/apache20-asf-license.txt   | 0
 projectui/src/org/netbeans/modules/project/ui/resources/layer.xml| 5 +
 terminal/nbproject/project.properties| 2 +-
 7 files changed, 8 insertions(+), 9 deletions(-)

diff --git 
a/apisupport.ant/src/org/netbeans/modules/apisupport/project/queries/TemplateAttributesProvider.java
 
b/apisupport.ant/src/org/netbeans/modules/apisupport/project/queries/TemplateAttributesProvider.java
index 26c856f..1e18549 100644
--- 
a/apisupport.ant/src/org/netbeans/modules/apisupport/project/queries/TemplateAttributesProvider.java
+++ 
b/apisupport.ant/src/org/netbeans/modules/apisupport/project/queries/TemplateAttributesProvider.java
@@ -63,7 +63,7 @@ public class TemplateAttributesProvider implements 
CreateFromTemplateAttributesP
 String licensePath = props.getProperty("project.licensePath"); // 
NOI18N
 
 if (license == null && netbeansOrg) {
-license = "apache20-netbeans"; // NOI18N
+license = "apache20-asf"; // NOI18N
 }
 if (license == null && licensePath == null && project != null) {
 SuiteProject sp;
diff --git 
a/apisupport.ant/src/org/netbeans/modules/apisupport/project/resources/layer.xml
 
b/apisupport.ant/src/org/netbeans/modules/apisupport/project/resources/layer.xml
index 457ff40..2b0ad2d 100644
--- 
a/apisupport.ant/src/org/netbeans/modules/apisupport/project/resources/layer.xml
+++ 
b/apisupport.ant/src/org/netbeans/modules/apisupport/project/resources/layer.xml
@@ -261,11 +261,6 @@
 
 http://www.netbeans.org/cddl-gplv2.html"/>
 
-
-
-
-http://www.apache.org/licenses/LICENSE-2.0"/>
-
 
 
 
diff --git 
a/apisupport.ant/src/org/netbeans/modules/apisupport/project/ui/Bundle.properties
 
b/apisupport.ant/src/org/netbeans/modules/apisupport/project/ui/Bundle.properties
index 4ceb39a..267ae49 100644
--- 
a/apisupport.ant/src/org/netbeans/modules/apisupport/project/ui/Bundle.properties
+++ 
b/apisupport.ant/src/org/netbeans/modules/apisupport/project/ui/Bundle.properties
@@ -75,7 +75,6 @@ HINT_suite_project_root_node=Module suite project in {0}
 LBL_jnlp_master=JNLP Descriptor
 
 Templates/Licenses/license-cddl-netbeans-sun.txt=NetBeans CDDL/GPL
-Templates/Licenses/license-apache20-netbeans.txt=NetBeans Apache License 2.0
 
 TestDataDirsNodeFactory.unit_test_data=Unit Test Data
 TestDataDirsNodeFactory.qa-functional_test_data=Functional Test Data
diff --git a/dlight.nativeexecution/nbproject/project.properties 
b/dlight.nativeexecution/nbproject/project.properties
index 14f5991..345cefd 100644
--- a/dlight.nativeexecution/nbproject/project.properties
+++ b/dlight.nativeexecution/nbproject/project.properties
@@ -18,7 +18,7 @@ is.autoload=true
 javac.source=1.7
 javac.compilerargs=-Xlint -Xlint:-serial
 javadoc.arch=${basedir}/arch.xml
-project.license=apache20-netbeans
+project.license=apache20-asf
 nbm.executable.files=bin/nativeexecution/**
 jnlp.indirect.files=bin/nativeexecution/**
 spec.version.base=1.40.13
diff --git 
a/apisupport.ant/src/org/netbeans/modules/apisupport/project/resources/license-apache20-netbeans.txt
 
b/projectui/src/org/netbeans/modules/project/ui/resources/apache20-asf-license.txt
similarity index 100%
rename from 
apisupport.ant/src/org/netbeans/modules/apisupport/project/resources/license-apache20-netbeans.txt
rename to 
projectui/src/org/netbeans/modules/project/ui/resources/apache20-asf-license.txt
diff --git a/projectui/src/org/netbeans/modules/project/ui/resources/layer.xml 
b/projectui/src/org/netbeans/modules/project/ui/resources/layer.xml
index bf38bc5..c94adac 100644
--- a/projectui/src/org/netbeans/modules/project/ui/resources/layer.xml
+++ b/projectui/src/org/netbeans/modules/project/ui/resources/layer.xml
@@ -179,6 +179,11 @@
 
 https://opensource.org/licenses/Apache-2.0

[incubator-netbeans] branch master updated (2b21706 -> e4a282a)

2018-01-14 Thread geertjan 
This is an automated email from the ASF dual-hosted git repository.

geertjan pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-netbeans.git.


from 2b21706  Merge pull request #357 from matthiasblaesing/issue-250
 add a25a59d  [NETBEANS-276]: fixing top-level LICENSE, making NOTICE and 
nbbuild/notice-stub.txt the same, reusing top-level LICENSE in builds, 
excluding external/*.jar and external/*.zip from source build.
 new e4a282a  Merge pull request #366 from jlahoda/NETBEANS-276

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 LICENSE  | 407 +++
 NOTICE   |  11 +-
 nbbuild/build.xml|  10 +-
 nbbuild/license-stub.txt | 203 ---
 nbbuild/notice-stub.txt  |   4 +-
 5 files changed, 218 insertions(+), 417 deletions(-)
 delete mode 100644 nbbuild/license-stub.txt

-- 
To stop receiving notification emails like this one, please contact
['"commits@netbeans.apache.org" '].

-
To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org
For additional commands, e-mail: commits-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[jira] [Comment Edited] (NETBEANS-240) Potential system compromise: nb-javac library unsigned

2018-01-14 Thread JIRA 

[ 
https://issues.apache.org/jira/browse/NETBEANS-240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16325548#comment-16325548
 ] 

Markus Kilås edited comment on NETBEANS-240 at 1/14/18 12:38 PM:
-

Oh, okay yes that could be a bigger topic.
But wouldn't that then be the same issue also for the other modules? For 
instance in the plugin portal I see that there are updates (i.e. for "IDE 
Platform", "Docker UI", "Local Tasks" and Ant) and those can be installed 
directly without any warning. They seems to be signed by Oracle certificates.
I would assume the same process could be use to also sign the nb-javac library 
and we wouldn't have this issue, no?


was (Author: netmackan):
Oh, okay yes that could be a bigger topic.
But wouldn't that then be the same issue also for the other modules? For 
instance in the plugin portal I see that there are updates (i.e. for "IDE 
Platform", "Docker UI", "Local Tasks" and Ant) and those can be installed 
directly without any warning. They seems to be signed certificates.
I would assume the same process could be use to also sign the nb-javac library 
and we wouldn't have this issue, no?

> Potential system compromise: nb-javac library unsigned
> --
>
> Key: NETBEANS-240
> URL: https://issues.apache.org/jira/browse/NETBEANS-240
> Project: NetBeans
>  Issue Type: Bug
>Reporter: Markus Kilås
>Priority: Critical
>
> During startup of NetBeans the user is prompted to choose a javac library. 
> However, the recommended one, nbjavac, is fetched over an insecure connection 
> (both plugin metadata and the actually binaries are fetched over HTTP from 
> bits.netbeans.org and lahoda.info) and the binaries are unsigned.
> The plugin system does the right thing and warns the user about the unsigned 
> plugins. However, if the user anyway ignores the warnings the system could 
> easily be compromised. The risk of choosing the insecure alternative is also 
> larger due to that the user gets very mixed messages as the insecure option 
> is first "Highly recommended" and then there is a warning that it is 
> "potentially insecure".
> Binary being fetched from lahoda.info on HTTP port 80:
> {noformat}
> GET /netbeans/nb-javac-auc/org-netbeans-modules-nbjavac.nbm HTTP/1.1
> Cache-Control: no-cache
> Pragma: no-cache
> User-Agent: Java/1.8.0_151
> Host: lahoda.info
> Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
> Connection: keep-alive
> HTTP/1.1 200 OK
> Content-Type: application/octet-stream
> Accept-Ranges: bytes
> Content-Length: 17626
> Date: Mon, 01 Jan 2018 17:49:45 GMT
> Server: lighttpd/1.4.42
> PK..
> KMETA-INF/PK..
> ...
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org
For additional commands, e-mail: commits-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[jira] [Commented] (NETBEANS-240) Potential system compromise: nb-javac library unsigned

2018-01-14 Thread JIRA 

[ 
https://issues.apache.org/jira/browse/NETBEANS-240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16325548#comment-16325548
 ] 

Markus Kilås commented on NETBEANS-240:
---

Oh, okay yes that could be a bigger topic.
But wouldn't that then be the same issue also for the other modules? For 
instance in the plugin portal I see that there are updates (i.e. for "IDE 
Platform", "Docker UI", "Local Tasks" and Ant) and those can be installed 
directly without any warning. They seems to be signed certificates.
I would assume the same process could be use to also sign the nb-javac library 
and we wouldn't have this issue, no?

> Potential system compromise: nb-javac library unsigned
> --
>
> Key: NETBEANS-240
> URL: https://issues.apache.org/jira/browse/NETBEANS-240
> Project: NetBeans
>  Issue Type: Bug
>Reporter: Markus Kilås
>Priority: Critical
>
> During startup of NetBeans the user is prompted to choose a javac library. 
> However, the recommended one, nbjavac, is fetched over an insecure connection 
> (both plugin metadata and the actually binaries are fetched over HTTP from 
> bits.netbeans.org and lahoda.info) and the binaries are unsigned.
> The plugin system does the right thing and warns the user about the unsigned 
> plugins. However, if the user anyway ignores the warnings the system could 
> easily be compromised. The risk of choosing the insecure alternative is also 
> larger due to that the user gets very mixed messages as the insecure option 
> is first "Highly recommended" and then there is a warning that it is 
> "potentially insecure".
> Binary being fetched from lahoda.info on HTTP port 80:
> {noformat}
> GET /netbeans/nb-javac-auc/org-netbeans-modules-nbjavac.nbm HTTP/1.1
> Cache-Control: no-cache
> Pragma: no-cache
> User-Agent: Java/1.8.0_151
> Host: lahoda.info
> Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
> Connection: keep-alive
> HTTP/1.1 200 OK
> Content-Type: application/octet-stream
> Accept-Ranges: bytes
> Content-Length: 17626
> Date: Mon, 01 Jan 2018 17:49:45 GMT
> Server: lighttpd/1.4.42
> PK..
> KMETA-INF/PK..
> ...
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org
For additional commands, e-mail: commits-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[jira] [Commented] (NETBEANS-240) Potential system compromise: nb-javac library unsigned

2018-01-14 Thread Geertjan Wielenga (JIRA) 

[ 
https://issues.apache.org/jira/browse/NETBEANS-240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16325542#comment-16325542
 ] 

Geertjan Wielenga commented on NETBEANS-240:


I think the point is that it's not clear what the proper signing is for Apache.

> Potential system compromise: nb-javac library unsigned
> --
>
> Key: NETBEANS-240
> URL: https://issues.apache.org/jira/browse/NETBEANS-240
> Project: NetBeans
>  Issue Type: Bug
>Reporter: Markus Kilås
>Priority: Critical
>
> During startup of NetBeans the user is prompted to choose a javac library. 
> However, the recommended one, nbjavac, is fetched over an insecure connection 
> (both plugin metadata and the actually binaries are fetched over HTTP from 
> bits.netbeans.org and lahoda.info) and the binaries are unsigned.
> The plugin system does the right thing and warns the user about the unsigned 
> plugins. However, if the user anyway ignores the warnings the system could 
> easily be compromised. The risk of choosing the insecure alternative is also 
> larger due to that the user gets very mixed messages as the insecure option 
> is first "Highly recommended" and then there is a warning that it is 
> "potentially insecure".
> Binary being fetched from lahoda.info on HTTP port 80:
> {noformat}
> GET /netbeans/nb-javac-auc/org-netbeans-modules-nbjavac.nbm HTTP/1.1
> Cache-Control: no-cache
> Pragma: no-cache
> User-Agent: Java/1.8.0_151
> Host: lahoda.info
> Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
> Connection: keep-alive
> HTTP/1.1 200 OK
> Content-Type: application/octet-stream
> Accept-Ranges: bytes
> Content-Length: 17626
> Date: Mon, 01 Jan 2018 17:49:45 GMT
> Server: lighttpd/1.4.42
> PK..
> KMETA-INF/PK..
> ...
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org
For additional commands, e-mail: commits-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[jira] [Commented] (NETBEANS-240) Potential system compromise: nb-javac library unsigned

2018-01-14 Thread JIRA 

[ 
https://issues.apache.org/jira/browse/NETBEANS-240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16325539#comment-16325539
 ] 

Markus Kilås commented on NETBEANS-240:
---

Now with the beta (rc1) the binaries are fetched from plugins.netbeans.org but 
still over a potentially insecure connection (i.e. not using HTTPS) and the 
artifacts are signed with an untrusted signature.

Beginning of HTTP stream (on port 80):
{noformat}
GET /nbpluginportal/files/nbms/z9518_org-netbeans-modules-nbjavac.nbm HTTP/1.1
User-Agent: Java/9-Debian
Host: plugins.netbeans.org
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

HTTP/1.1 200 OK
X-Content-Security-Policy: allow 'self' 'unsafe-inline' 'unsafe-eval' 
netbeans.org
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: application/octet-stream
Accept-Ranges: bytes
ETag: "2135653249"
Last-Modified: Thu, 11 Jan 2018 01:15:46 GMT
Content-Length: 19416
Date: Sun, 14 Jan 2018 12:13:13 GMT
Server: lighttpd/1.4.39

PK
."LMETA-INF/MANIFEST.MF..
{noformat}

Untrusted and self-signed certificate (that I got, but could have been replaced 
by a MitM):
{noformat}
[
[
  Version: V3
  Subject: CN=Jan Lahoda, OU=Unknown, O=Unknown, L=Unknown, ST=Czech Republic, 
C=CZ
  Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3

  Key:  Sun DSA Public Key
Parameters:DSA
p: fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 
b6512669
455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7
6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb
83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7
q: 9760508f 15230bcc b292b982 a2eb840b f0581cf5
g: f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b 
3d078267
5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1
3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b
cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a

  y:
5b791985 6d375d42 41f6d5e8 9cd981fb fd3a9b8f e8d4188f e0155737 179f9a7b
bac15992 628d4ce6 cb1f6f72 c2cdee3c bf71215d 8415c970 be178dc5 4f415482
02c191d8 4dd6ae36 ce107b4b 128cd709 2c5d14d1 99f4add4 e952fe39 46af4bc3
270ac694 7da69f43 074f8443 6c40b111 22e936ed 19570617 43c85566 8d7183f5

  Validity: [From: Sun Dec 17 20:07:43 CET 2017,
   To: Sat Mar 17 20:07:43 CET 2018]
  Issuer: CN=Jan Lahoda, OU=Unknown, O=Unknown, L=Unknown, ST=Czech Republic, 
C=CZ
  SerialNumber: [1523a8b6]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
: 58 3E 59 F8 F5 91 96 CF   56 9B 44 9B 3D E2 F8 C3  X>Y.V.D.=...
0010: 23 DA E2 73#..s
]
]

]
  Algorithm: [SHA1withDSA]
  Signature:
: 30 2D 02 14 10 A2 97 4C   F7 A6 CE 33 05 0A E9 AD  0-.L...3
0010: 01 32 B7 8B 61 37 66 C3   02 15 00 97 53 62 23 F6  .2..a7f.Sb#.
0020: 6D 3E F1 F6 09 DA 37 F6   E8 20 18 EA EF 06 B2 m>7.. .

]
{noformat}

Not sure if this is a mistake or the proper signing is planned for after the 
beta release?



> Potential system compromise: nb-javac library unsigned
> --
>
> Key: NETBEANS-240
> URL: https://issues.apache.org/jira/browse/NETBEANS-240
> Project: NetBeans
>  Issue Type: Bug
>Reporter: Markus Kilås
>Priority: Critical
>
> During startup of NetBeans the user is prompted to choose a javac library. 
> However, the recommended one, nbjavac, is fetched over an insecure connection 
> (both plugin metadata and the actually binaries are fetched over HTTP from 
> bits.netbeans.org and lahoda.info) and the binaries are unsigned.
> The plugin system does the right thing and warns the user about the unsigned 
> plugins. However, if the user anyway ignores the warnings the system could 
> easily be compromised. The risk of choosing the insecure alternative is also 
> larger due to that the user gets very mixed messages as the insecure option 
> is first "Highly recommended" and then there is a warning that it is 
> "potentially insecure".
> Binary being fetched from lahoda.info on HTTP port 80:
> {noformat}
> GET /netbeans/nb-javac-auc/org-netbeans-modules-nbjavac.nbm HTTP/1.1
> Cache-Control: no-cache
> Pragma: no-cache
> User-Agent: Java/1.8.0_151
> Host: lahoda.info
> Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
> Connection: keep-alive
> HTTP/1.1 200 OK
> Content-Type: application/octet-stream
> Accept-Ranges: bytes
> Content-Length: 17626
> Date: Mon, 01 Jan 2018 17:49:45 GMT
> Server: lighttpd/1.4.42
> PK..
> KMETA-INF/PK..
> ...
> {noformat}



--
This message was

[jira] [Updated] (NETBEANS-281) Add ASF license to template selection

2018-01-14 Thread ASF GitHub Bot (JIRA) 

 [ 
https://issues.apache.org/jira/browse/NETBEANS-281?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated NETBEANS-281:

Labels: pull-request-available  (was: )

> Add ASF license to template selection
> -
>
> Key: NETBEANS-281
> URL: https://issues.apache.org/jira/browse/NETBEANS-281
> Project: NetBeans
>  Issue Type: Improvement
>Reporter: lbruun
>Assignee: lbruun
>Priority: Trivial
>  Labels: pull-request-available
>
> Now that the NetBeans is an ASF project, the ASF license header should of 
> course be one of the possible license headers that are available in the IDE 
> (Tools --> Templates --> Licenses)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org
For additional commands, e-mail: commits-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[jira] [Created] (NETBEANS-281) Add ASF license to template selection

2018-01-14 Thread lbruun (JIRA) 
lbruun created NETBEANS-281:
---

 Summary: Add ASF license to template selection
 Key: NETBEANS-281
 URL: https://issues.apache.org/jira/browse/NETBEANS-281
 Project: NetBeans
  Issue Type: Improvement
Reporter: lbruun
Assignee: lbruun
Priority: Trivial


Now that the NetBeans is an ASF project, the ASF license header should of 
course be one of the possible license headers that are available in the IDE 
(Tools --> Templates --> Licenses)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org
For additional commands, e-mail: commits-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[jira] [Updated] (NETBEANS-276) Binaries wrongly included in source zip

2018-01-14 Thread ASF GitHub Bot (JIRA) 

 [ 
https://issues.apache.org/jira/browse/NETBEANS-276?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated NETBEANS-276:

Labels: pull-request-available  (was: )

> Binaries wrongly included in source zip
> ---
>
> Key: NETBEANS-276
> URL: https://issues.apache.org/jira/browse/NETBEANS-276
> Project: NetBeans
>  Issue Type: Bug
>Reporter: Antonio Vieiro
>Priority: Blocker
>  Labels: pull-request-available
> Attachments: diff.txt
>
>
> The task that builds the zip file includes wrong jars.
> See [the mailing list for more 
> info|http://mail-archives.apache.org/mod_mbox/incubator-netbeans-dev/201801.mbox/browser]
> Differences are:
> incubator-netbeans$ diff -qr . ../extracted-source-files
> Only in .: .git
> Only in .: .gitattributes
> Only in .: .gitignore
> Only in .: .travis.yml
> Only in ../incubating: DEPENDENCIES
> Files ./LICENSE and ../incubating/LICENSE differ
> Files ./NOTICE and ../incubating/NOTICE differ
> Only in .: form.binding
> Only in .: hibernate
> Only in .: hibernate4lib
> Only in ../incubating/javahelp/external: jhall-2.0_05.jar
> Only in ../incubating/libs.junit4/external: hamcrest-core-1.3.jar
> Only in ../incubating/libs.junit4/external: junit-4.12.jar
> Only in .: libs.svnClientAdapter.svnkit
> Only in ../incubating/nbbuild: build
> Only in ../incubating/nbbuild/external: apache-rat-0.12.jar
> Only in ../incubating/nbbuild/external: apitest.jar
> Only in ../incubating/nbbuild/external: langtools-9.zip
> Only in ../incubating/nbbuild/external: vanilla-javac-api.jar
> Only in ../incubating/nbbuild/external: vanilla-javac-impl.jar
> Only in .: o.jdesktop.beansbinding
> Only in .: travis-check-line-endings.sh



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org
For additional commands, e-mail: commits-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists