svn commit: r24200 - in /dev/incubator/netbeans: incubating-netbeans-java/incubating-9.0-beta-rc2/ incubating-netbeans-platform/incubating-9.0-beta-rc2/
Author: jlahoda Date: Sun Jan 14 22:16:12 2018 New Revision: 24200 Log: Apache NetBeans 9.0-beta RC2. Added: dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/ dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip (with props) dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.asc dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.md5 dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.sha1 dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-source.zip (with props) dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-source.zip.asc dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-source.zip.md5 dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-source.zip.sha1 dev/incubator/netbeans/incubating-netbeans-platform/incubating-9.0-beta-rc2/ dev/incubator/netbeans/incubating-netbeans-platform/incubating-9.0-beta-rc2/incubating-netbeans-platform-9.0-beta-bin.zip (with props) dev/incubator/netbeans/incubating-netbeans-platform/incubating-9.0-beta-rc2/incubating-netbeans-platform-9.0-beta-bin.zip.asc dev/incubator/netbeans/incubating-netbeans-platform/incubating-9.0-beta-rc2/incubating-netbeans-platform-9.0-beta-bin.zip.md5 dev/incubator/netbeans/incubating-netbeans-platform/incubating-9.0-beta-rc2/incubating-netbeans-platform-9.0-beta-bin.zip.sha1 dev/incubator/netbeans/incubating-netbeans-platform/incubating-9.0-beta-rc2/incubating-netbeans-platform-9.0-beta-source.zip (with props) dev/incubator/netbeans/incubating-netbeans-platform/incubating-9.0-beta-rc2/incubating-netbeans-platform-9.0-beta-source.zip.asc dev/incubator/netbeans/incubating-netbeans-platform/incubating-9.0-beta-rc2/incubating-netbeans-platform-9.0-beta-source.zip.md5 dev/incubator/netbeans/incubating-netbeans-platform/incubating-9.0-beta-rc2/incubating-netbeans-platform-9.0-beta-source.zip.sha1 Added: dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip == Binary file - no diff available. Propchange: dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip -- svn:mime-type = application/octet-stream Added: dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.asc == --- dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.asc (added) +++ dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.asc Sun Jan 14 22:16:12 2018 @@ -0,0 +1,17 @@ +-BEGIN PGP SIGNATURE- +Version: GnuPG v1 + +iQIcBAABAgAGBQJaW9MOAAoJELTBlA/qk2TxcTEP/AtA5lYvBk8sFwjN9qM6YP3T +3pHVL0x6dv0kmqUs2zTatAlg2HGHQxA4Tn9+OGgJwkBnnjhqsRKm1qxsbWbBBpOI +/40vYpY9mo0dNZFVW52g7HpyMcZowgiWPQIvPl/nE10PGjOZ05+Qz08hqUhYzA0A +u86qsVSnGp3YMATf25BrnR0NaI4tPyovHFEKTT3tQna22vS1VC6RFZboW7sLi9re +P6EBqzPXNARTKs20/Z+ww36svpKr9ie5lCIGBQgI7D7dvJu9x1k4HB8GYAecowQb +eNq7mU0sS4/MRHGjLt7yY8Eufxsk9YJ57MXk0SlbIrfKDWDRDDrmzbo7l74I/RsL +ErFfsuOUt5DbtuLqSAGRxX2Mp1nG0CVEPq9In0vY8zYkHyPJixTLycWYdgR5ssTG +xwAb3C3+HOjW1v5Ff/D4YhtNNE9YC8b319iGm7kpek/0izZvfMMHCalWLLG12H0h +L53wthX5BKxmJiWhrwLWswux/945Z1aBXEJa0XNdoNBYVg5LLYvALKHnGTbRzoW/ +C0ZESBZaYsTXZTAfFVZrGRYpUwVeqFCXua4j7P2uexLaw96Zu566cCl0Mc7jSeXU +DDRygT8dJzhX6ywiPKiYjZVruKthlRYiLZwGlzbb7WhZriLIMFkwzh63qBCst+QW +OSoYz3Nw3ZZ4CKODGhek +=5p6f +-END PGP SIGNATURE- Added: dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.md5 == --- dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.md5 (added) +++ dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.md5 Sun Jan 14 22:16:12 2018 @@ -0,0 +1 @@ +c8797937fe984221d09dee0d55bf9743 incubating-netbeans-java-9.0-beta-bin.zip Added: dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc2/incubating-netbeans-java-9.0-beta-bin.zip.sha1 == ---
[jira] [Created] (NETBEANS-282) UnsatisfiedLinkError trying to open browser
Gili created NETBEANS-282: - Summary: UnsatisfiedLinkError trying to open browser Key: NETBEANS-282 URL: https://issues.apache.org/jira/browse/NETBEANS-282 Project: NetBeans Issue Type: Bug Environment: Product Version: Apache NetBeans IDE Dev (Build 20180106-unknown-revn) Updates: Updates available Java: 9.0.1; Java HotSpot(TM) 64-Bit Server VM 9.0.1+11 Runtime: Java(TM) SE Runtime Environment 9.0.1+11 System: Windows 10 version 10.0 running on amd64; Cp1252; en_CA (nb) User directory: C:\Users\Gili\AppData\Roaming\NetBeans\dev Cache directory: C:\Users\Gili\AppData\Local\NetBeans\Cache\dev Reporter: Gili 1. CTRL+LMB on a link inside a Java file. 2. Exception thrown: {code} java.lang.UnsatisfiedLinkError: no extbrowser64 in java.library.path at java.base/java.lang.ClassLoader.loadLibrary(ClassLoader.java:2541) at java.base/java.lang.Runtime.loadLibrary0(Runtime.java:873) at java.base/java.lang.System.loadLibrary(System.java:1857) at org.netbeans.modules.extbrowser.NbDdeBrowserImpl.(NbDdeBrowserImpl.java:82) at org.netbeans.modules.extbrowser.SystemDefaultBrowser.createHtmlBrowserImpl(SystemDefaultBrowser.java:94) at org.netbeans.core.NbURLDisplayer.warmBrowserUp(NbURLDisplayer.java:100) at org.netbeans.core.NbURLDisplayer.access$000(NbURLDisplayer.java:47) at org.netbeans.core.NbURLDisplayer$1.run(NbURLDisplayer.java:59) at org.openide.util.RequestProcessor$Task.run(RequestProcessor.java:1418) at org.netbeans.modules.openide.util.GlobalLookup.execute(GlobalLookup.java:45) at org.openide.util.lookup.Lookups.executeWith(Lookups.java:278) at org.openide.util.RequestProcessor$Processor.run(RequestProcessor.java:2033) Caused: org.openide.util.RequestProcessor$SlowItem: task failed due to at org.openide.util.RequestProcessor.post(RequestProcessor.java:395) at org.netbeans.core.NbURLDisplayer.showURL(NbURLDisplayer.java:55) at org.netbeans.modules.editor.url.HyperlinkImpl.performClickAction(HyperlinkImpl.java:105) at org.netbeans.lib.editor.hyperlink.HyperlinkOperation.performAction(HyperlinkOperation.java:249) at org.netbeans.lib.editor.hyperlink.HyperlinkOperation.mouseClicked(HyperlinkOperation.java:422) at java.desktop/java.awt.AWTEventMulticaster.mouseClicked(AWTEventMulticaster.java:278) at java.desktop/java.awt.AWTEventMulticaster.mouseClicked(AWTEventMulticaster.java:277) at java.desktop/java.awt.Component.processMouseEvent(Component.java:6581) at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3343) at java.desktop/java.awt.Component.processEvent(Component.java:6343) at java.desktop/java.awt.Container.processEvent(Container.java:2259) at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:4961) at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2317) at java.desktop/java.awt.Component.dispatchEvent(Component.java:4793) at java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4904) at java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4548) at java.desktop/java.awt.LightweightDispatcher.dispatchEvent(Container.java:4480) at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2303) at java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2758) at java.desktop/java.awt.Component.dispatchEvent(Component.java:4793) at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:766) at java.desktop/java.awt.EventQueue.access$500(EventQueue.java:97) at java.desktop/java.awt.EventQueue$3.run(EventQueue.java:717) at java.desktop/java.awt.EventQueue$3.run(EventQueue.java:711) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:89) at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:99) at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:739) at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:737) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:89) at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:736) at org.netbeans.core.TimableEventQueue.dispatchEvent(TimableEventQueue.java:136) at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:199) at
[incubator-netbeans] branch master updated: [NETBEANS-281] Add ASF license template (#367)
This is an automated email from the ASF dual-hosted git repository. junichi11 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-netbeans.git The following commit(s) were added to refs/heads/master by this push: new d23e386 [NETBEANS-281] Add ASF license template (#367) d23e386 is described below commit d23e386c221cf689d65b1c2a1711b9e81c45d907 Author: lbruun <32431476+lbr...@users.noreply.github.com> AuthorDate: Sun Jan 14 15:15:10 2018 +0100 [NETBEANS-281] Add ASF license template (#367) * [NETBEANS-281] Merge with PR174 Merge the idea in PR174 into this change. --- .../apisupport/project/queries/TemplateAttributesProvider.java | 2 +- .../src/org/netbeans/modules/apisupport/project/resources/layer.xml | 5 - .../src/org/netbeans/modules/apisupport/project/ui/Bundle.properties | 1 - dlight.nativeexecution/nbproject/project.properties | 2 +- .../netbeans/modules/project/ui/resources/apache20-asf-license.txt | 0 projectui/src/org/netbeans/modules/project/ui/resources/layer.xml| 5 + terminal/nbproject/project.properties| 2 +- 7 files changed, 8 insertions(+), 9 deletions(-) diff --git a/apisupport.ant/src/org/netbeans/modules/apisupport/project/queries/TemplateAttributesProvider.java b/apisupport.ant/src/org/netbeans/modules/apisupport/project/queries/TemplateAttributesProvider.java index 26c856f..1e18549 100644 --- a/apisupport.ant/src/org/netbeans/modules/apisupport/project/queries/TemplateAttributesProvider.java +++ b/apisupport.ant/src/org/netbeans/modules/apisupport/project/queries/TemplateAttributesProvider.java @@ -63,7 +63,7 @@ public class TemplateAttributesProvider implements CreateFromTemplateAttributesP String licensePath = props.getProperty("project.licensePath"); // NOI18N if (license == null && netbeansOrg) { -license = "apache20-netbeans"; // NOI18N +license = "apache20-asf"; // NOI18N } if (license == null && licensePath == null && project != null) { SuiteProject sp; diff --git a/apisupport.ant/src/org/netbeans/modules/apisupport/project/resources/layer.xml b/apisupport.ant/src/org/netbeans/modules/apisupport/project/resources/layer.xml index 457ff40..2b0ad2d 100644 --- a/apisupport.ant/src/org/netbeans/modules/apisupport/project/resources/layer.xml +++ b/apisupport.ant/src/org/netbeans/modules/apisupport/project/resources/layer.xml @@ -261,11 +261,6 @@ http://www.netbeans.org/cddl-gplv2.html"/> - - - -http://www.apache.org/licenses/LICENSE-2.0"/> - diff --git a/apisupport.ant/src/org/netbeans/modules/apisupport/project/ui/Bundle.properties b/apisupport.ant/src/org/netbeans/modules/apisupport/project/ui/Bundle.properties index 4ceb39a..267ae49 100644 --- a/apisupport.ant/src/org/netbeans/modules/apisupport/project/ui/Bundle.properties +++ b/apisupport.ant/src/org/netbeans/modules/apisupport/project/ui/Bundle.properties @@ -75,7 +75,6 @@ HINT_suite_project_root_node=Module suite project in {0} LBL_jnlp_master=JNLP Descriptor Templates/Licenses/license-cddl-netbeans-sun.txt=NetBeans CDDL/GPL -Templates/Licenses/license-apache20-netbeans.txt=NetBeans Apache License 2.0 TestDataDirsNodeFactory.unit_test_data=Unit Test Data TestDataDirsNodeFactory.qa-functional_test_data=Functional Test Data diff --git a/dlight.nativeexecution/nbproject/project.properties b/dlight.nativeexecution/nbproject/project.properties index 14f5991..345cefd 100644 --- a/dlight.nativeexecution/nbproject/project.properties +++ b/dlight.nativeexecution/nbproject/project.properties @@ -18,7 +18,7 @@ is.autoload=true javac.source=1.7 javac.compilerargs=-Xlint -Xlint:-serial javadoc.arch=${basedir}/arch.xml -project.license=apache20-netbeans +project.license=apache20-asf nbm.executable.files=bin/nativeexecution/** jnlp.indirect.files=bin/nativeexecution/** spec.version.base=1.40.13 diff --git a/apisupport.ant/src/org/netbeans/modules/apisupport/project/resources/license-apache20-netbeans.txt b/projectui/src/org/netbeans/modules/project/ui/resources/apache20-asf-license.txt similarity index 100% rename from apisupport.ant/src/org/netbeans/modules/apisupport/project/resources/license-apache20-netbeans.txt rename to projectui/src/org/netbeans/modules/project/ui/resources/apache20-asf-license.txt diff --git a/projectui/src/org/netbeans/modules/project/ui/resources/layer.xml b/projectui/src/org/netbeans/modules/project/ui/resources/layer.xml index bf38bc5..c94adac 100644 --- a/projectui/src/org/netbeans/modules/project/ui/resources/layer.xml +++ b/projectui/src/org/netbeans/modules/project/ui/resources/layer.xml @@ -179,6 +179,11 @@ https://opensource.org/licenses/Apache-2.0
[incubator-netbeans] branch master updated (2b21706 -> e4a282a)
This is an automated email from the ASF dual-hosted git repository. geertjan pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/incubator-netbeans.git. from 2b21706 Merge pull request #357 from matthiasblaesing/issue-250 add a25a59d [NETBEANS-276]: fixing top-level LICENSE, making NOTICE and nbbuild/notice-stub.txt the same, reusing top-level LICENSE in builds, excluding external/*.jar and external/*.zip from source build. new e4a282a Merge pull request #366 from jlahoda/NETBEANS-276 The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: LICENSE | 407 +++ NOTICE | 11 +- nbbuild/build.xml| 10 +- nbbuild/license-stub.txt | 203 --- nbbuild/notice-stub.txt | 4 +- 5 files changed, 218 insertions(+), 417 deletions(-) delete mode 100644 nbbuild/license-stub.txt -- To stop receiving notification emails like this one, please contact ['"commits@netbeans.apache.org"']. - To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org For additional commands, e-mail: commits-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
[jira] [Comment Edited] (NETBEANS-240) Potential system compromise: nb-javac library unsigned
[ https://issues.apache.org/jira/browse/NETBEANS-240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16325548#comment-16325548 ] Markus Kilås edited comment on NETBEANS-240 at 1/14/18 12:38 PM: - Oh, okay yes that could be a bigger topic. But wouldn't that then be the same issue also for the other modules? For instance in the plugin portal I see that there are updates (i.e. for "IDE Platform", "Docker UI", "Local Tasks" and Ant) and those can be installed directly without any warning. They seems to be signed by Oracle certificates. I would assume the same process could be use to also sign the nb-javac library and we wouldn't have this issue, no? was (Author: netmackan): Oh, okay yes that could be a bigger topic. But wouldn't that then be the same issue also for the other modules? For instance in the plugin portal I see that there are updates (i.e. for "IDE Platform", "Docker UI", "Local Tasks" and Ant) and those can be installed directly without any warning. They seems to be signed certificates. I would assume the same process could be use to also sign the nb-javac library and we wouldn't have this issue, no? > Potential system compromise: nb-javac library unsigned > -- > > Key: NETBEANS-240 > URL: https://issues.apache.org/jira/browse/NETBEANS-240 > Project: NetBeans > Issue Type: Bug >Reporter: Markus Kilås >Priority: Critical > > During startup of NetBeans the user is prompted to choose a javac library. > However, the recommended one, nbjavac, is fetched over an insecure connection > (both plugin metadata and the actually binaries are fetched over HTTP from > bits.netbeans.org and lahoda.info) and the binaries are unsigned. > The plugin system does the right thing and warns the user about the unsigned > plugins. However, if the user anyway ignores the warnings the system could > easily be compromised. The risk of choosing the insecure alternative is also > larger due to that the user gets very mixed messages as the insecure option > is first "Highly recommended" and then there is a warning that it is > "potentially insecure". > Binary being fetched from lahoda.info on HTTP port 80: > {noformat} > GET /netbeans/nb-javac-auc/org-netbeans-modules-nbjavac.nbm HTTP/1.1 > Cache-Control: no-cache > Pragma: no-cache > User-Agent: Java/1.8.0_151 > Host: lahoda.info > Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 > Connection: keep-alive > HTTP/1.1 200 OK > Content-Type: application/octet-stream > Accept-Ranges: bytes > Content-Length: 17626 > Date: Mon, 01 Jan 2018 17:49:45 GMT > Server: lighttpd/1.4.42 > PK.. > KMETA-INF/PK.. > ... > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org For additional commands, e-mail: commits-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
[jira] [Commented] (NETBEANS-240) Potential system compromise: nb-javac library unsigned
[ https://issues.apache.org/jira/browse/NETBEANS-240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16325548#comment-16325548 ] Markus Kilås commented on NETBEANS-240: --- Oh, okay yes that could be a bigger topic. But wouldn't that then be the same issue also for the other modules? For instance in the plugin portal I see that there are updates (i.e. for "IDE Platform", "Docker UI", "Local Tasks" and Ant) and those can be installed directly without any warning. They seems to be signed certificates. I would assume the same process could be use to also sign the nb-javac library and we wouldn't have this issue, no? > Potential system compromise: nb-javac library unsigned > -- > > Key: NETBEANS-240 > URL: https://issues.apache.org/jira/browse/NETBEANS-240 > Project: NetBeans > Issue Type: Bug >Reporter: Markus Kilås >Priority: Critical > > During startup of NetBeans the user is prompted to choose a javac library. > However, the recommended one, nbjavac, is fetched over an insecure connection > (both plugin metadata and the actually binaries are fetched over HTTP from > bits.netbeans.org and lahoda.info) and the binaries are unsigned. > The plugin system does the right thing and warns the user about the unsigned > plugins. However, if the user anyway ignores the warnings the system could > easily be compromised. The risk of choosing the insecure alternative is also > larger due to that the user gets very mixed messages as the insecure option > is first "Highly recommended" and then there is a warning that it is > "potentially insecure". > Binary being fetched from lahoda.info on HTTP port 80: > {noformat} > GET /netbeans/nb-javac-auc/org-netbeans-modules-nbjavac.nbm HTTP/1.1 > Cache-Control: no-cache > Pragma: no-cache > User-Agent: Java/1.8.0_151 > Host: lahoda.info > Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 > Connection: keep-alive > HTTP/1.1 200 OK > Content-Type: application/octet-stream > Accept-Ranges: bytes > Content-Length: 17626 > Date: Mon, 01 Jan 2018 17:49:45 GMT > Server: lighttpd/1.4.42 > PK.. > KMETA-INF/PK.. > ... > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org For additional commands, e-mail: commits-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
[jira] [Commented] (NETBEANS-240) Potential system compromise: nb-javac library unsigned
[ https://issues.apache.org/jira/browse/NETBEANS-240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16325542#comment-16325542 ] Geertjan Wielenga commented on NETBEANS-240: I think the point is that it's not clear what the proper signing is for Apache. > Potential system compromise: nb-javac library unsigned > -- > > Key: NETBEANS-240 > URL: https://issues.apache.org/jira/browse/NETBEANS-240 > Project: NetBeans > Issue Type: Bug >Reporter: Markus Kilås >Priority: Critical > > During startup of NetBeans the user is prompted to choose a javac library. > However, the recommended one, nbjavac, is fetched over an insecure connection > (both plugin metadata and the actually binaries are fetched over HTTP from > bits.netbeans.org and lahoda.info) and the binaries are unsigned. > The plugin system does the right thing and warns the user about the unsigned > plugins. However, if the user anyway ignores the warnings the system could > easily be compromised. The risk of choosing the insecure alternative is also > larger due to that the user gets very mixed messages as the insecure option > is first "Highly recommended" and then there is a warning that it is > "potentially insecure". > Binary being fetched from lahoda.info on HTTP port 80: > {noformat} > GET /netbeans/nb-javac-auc/org-netbeans-modules-nbjavac.nbm HTTP/1.1 > Cache-Control: no-cache > Pragma: no-cache > User-Agent: Java/1.8.0_151 > Host: lahoda.info > Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 > Connection: keep-alive > HTTP/1.1 200 OK > Content-Type: application/octet-stream > Accept-Ranges: bytes > Content-Length: 17626 > Date: Mon, 01 Jan 2018 17:49:45 GMT > Server: lighttpd/1.4.42 > PK.. > KMETA-INF/PK.. > ... > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org For additional commands, e-mail: commits-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
[jira] [Commented] (NETBEANS-240) Potential system compromise: nb-javac library unsigned
[ https://issues.apache.org/jira/browse/NETBEANS-240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16325539#comment-16325539 ] Markus Kilås commented on NETBEANS-240: --- Now with the beta (rc1) the binaries are fetched from plugins.netbeans.org but still over a potentially insecure connection (i.e. not using HTTPS) and the artifacts are signed with an untrusted signature. Beginning of HTTP stream (on port 80): {noformat} GET /nbpluginportal/files/nbms/z9518_org-netbeans-modules-nbjavac.nbm HTTP/1.1 User-Agent: Java/9-Debian Host: plugins.netbeans.org Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive HTTP/1.1 200 OK X-Content-Security-Policy: allow 'self' 'unsafe-inline' 'unsafe-eval' netbeans.org X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Type: application/octet-stream Accept-Ranges: bytes ETag: "2135653249" Last-Modified: Thu, 11 Jan 2018 01:15:46 GMT Content-Length: 19416 Date: Sun, 14 Jan 2018 12:13:13 GMT Server: lighttpd/1.4.39 PK ."LMETA-INF/MANIFEST.MF.. {noformat} Untrusted and self-signed certificate (that I got, but could have been replaced by a MitM): {noformat} [ [ Version: V3 Subject: CN=Jan Lahoda, OU=Unknown, O=Unknown, L=Unknown, ST=Czech Republic, C=CZ Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3 Key: Sun DSA Public Key Parameters:DSA p: fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 b6512669 455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7 6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb 83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7 q: 9760508f 15230bcc b292b982 a2eb840b f0581cf5 g: f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b 3d078267 5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1 3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a y: 5b791985 6d375d42 41f6d5e8 9cd981fb fd3a9b8f e8d4188f e0155737 179f9a7b bac15992 628d4ce6 cb1f6f72 c2cdee3c bf71215d 8415c970 be178dc5 4f415482 02c191d8 4dd6ae36 ce107b4b 128cd709 2c5d14d1 99f4add4 e952fe39 46af4bc3 270ac694 7da69f43 074f8443 6c40b111 22e936ed 19570617 43c85566 8d7183f5 Validity: [From: Sun Dec 17 20:07:43 CET 2017, To: Sat Mar 17 20:07:43 CET 2018] Issuer: CN=Jan Lahoda, OU=Unknown, O=Unknown, L=Unknown, ST=Czech Republic, C=CZ SerialNumber: [1523a8b6] Certificate Extensions: 1 [1]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ : 58 3E 59 F8 F5 91 96 CF 56 9B 44 9B 3D E2 F8 C3 X>Y.V.D.=... 0010: 23 DA E2 73#..s ] ] ] Algorithm: [SHA1withDSA] Signature: : 30 2D 02 14 10 A2 97 4C F7 A6 CE 33 05 0A E9 AD 0-.L...3 0010: 01 32 B7 8B 61 37 66 C3 02 15 00 97 53 62 23 F6 .2..a7f.Sb#. 0020: 6D 3E F1 F6 09 DA 37 F6 E8 20 18 EA EF 06 B2 m>7.. . ] {noformat} Not sure if this is a mistake or the proper signing is planned for after the beta release? > Potential system compromise: nb-javac library unsigned > -- > > Key: NETBEANS-240 > URL: https://issues.apache.org/jira/browse/NETBEANS-240 > Project: NetBeans > Issue Type: Bug >Reporter: Markus Kilås >Priority: Critical > > During startup of NetBeans the user is prompted to choose a javac library. > However, the recommended one, nbjavac, is fetched over an insecure connection > (both plugin metadata and the actually binaries are fetched over HTTP from > bits.netbeans.org and lahoda.info) and the binaries are unsigned. > The plugin system does the right thing and warns the user about the unsigned > plugins. However, if the user anyway ignores the warnings the system could > easily be compromised. The risk of choosing the insecure alternative is also > larger due to that the user gets very mixed messages as the insecure option > is first "Highly recommended" and then there is a warning that it is > "potentially insecure". > Binary being fetched from lahoda.info on HTTP port 80: > {noformat} > GET /netbeans/nb-javac-auc/org-netbeans-modules-nbjavac.nbm HTTP/1.1 > Cache-Control: no-cache > Pragma: no-cache > User-Agent: Java/1.8.0_151 > Host: lahoda.info > Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 > Connection: keep-alive > HTTP/1.1 200 OK > Content-Type: application/octet-stream > Accept-Ranges: bytes > Content-Length: 17626 > Date: Mon, 01 Jan 2018 17:49:45 GMT > Server: lighttpd/1.4.42 > PK.. > KMETA-INF/PK.. > ... > {noformat} -- This message was
[jira] [Updated] (NETBEANS-281) Add ASF license to template selection
[ https://issues.apache.org/jira/browse/NETBEANS-281?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] ASF GitHub Bot updated NETBEANS-281: Labels: pull-request-available (was: ) > Add ASF license to template selection > - > > Key: NETBEANS-281 > URL: https://issues.apache.org/jira/browse/NETBEANS-281 > Project: NetBeans > Issue Type: Improvement >Reporter: lbruun >Assignee: lbruun >Priority: Trivial > Labels: pull-request-available > > Now that the NetBeans is an ASF project, the ASF license header should of > course be one of the possible license headers that are available in the IDE > (Tools --> Templates --> Licenses) -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org For additional commands, e-mail: commits-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
[jira] [Created] (NETBEANS-281) Add ASF license to template selection
lbruun created NETBEANS-281: --- Summary: Add ASF license to template selection Key: NETBEANS-281 URL: https://issues.apache.org/jira/browse/NETBEANS-281 Project: NetBeans Issue Type: Improvement Reporter: lbruun Assignee: lbruun Priority: Trivial Now that the NetBeans is an ASF project, the ASF license header should of course be one of the possible license headers that are available in the IDE (Tools --> Templates --> Licenses) -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org For additional commands, e-mail: commits-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
[jira] [Updated] (NETBEANS-276) Binaries wrongly included in source zip
[ https://issues.apache.org/jira/browse/NETBEANS-276?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] ASF GitHub Bot updated NETBEANS-276: Labels: pull-request-available (was: ) > Binaries wrongly included in source zip > --- > > Key: NETBEANS-276 > URL: https://issues.apache.org/jira/browse/NETBEANS-276 > Project: NetBeans > Issue Type: Bug >Reporter: Antonio Vieiro >Priority: Blocker > Labels: pull-request-available > Attachments: diff.txt > > > The task that builds the zip file includes wrong jars. > See [the mailing list for more > info|http://mail-archives.apache.org/mod_mbox/incubator-netbeans-dev/201801.mbox/browser] > Differences are: > incubator-netbeans$ diff -qr . ../extracted-source-files > Only in .: .git > Only in .: .gitattributes > Only in .: .gitignore > Only in .: .travis.yml > Only in ../incubating: DEPENDENCIES > Files ./LICENSE and ../incubating/LICENSE differ > Files ./NOTICE and ../incubating/NOTICE differ > Only in .: form.binding > Only in .: hibernate > Only in .: hibernate4lib > Only in ../incubating/javahelp/external: jhall-2.0_05.jar > Only in ../incubating/libs.junit4/external: hamcrest-core-1.3.jar > Only in ../incubating/libs.junit4/external: junit-4.12.jar > Only in .: libs.svnClientAdapter.svnkit > Only in ../incubating/nbbuild: build > Only in ../incubating/nbbuild/external: apache-rat-0.12.jar > Only in ../incubating/nbbuild/external: apitest.jar > Only in ../incubating/nbbuild/external: langtools-9.zip > Only in ../incubating/nbbuild/external: vanilla-javac-api.jar > Only in ../incubating/nbbuild/external: vanilla-javac-impl.jar > Only in .: o.jdesktop.beansbinding > Only in .: travis-check-line-endings.sh -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org For additional commands, e-mail: commits-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists