Re: NetBeans and the Octopus
https://www.zdnet.com/article/github-warns-java-developers-of-new-malware-poisoning-netbeans-projects/ On Fri, 29 May 2020 at 15:46, Jesse Glick wrote: > A further note: > > > the malware also infected any JAR files that were available in the > project, such as dependencies—not necessarily just build artifacts > > If I understand correctly what is being said here, this kind of attack > only makes sense for a build system which keeps binary dependencies in > the source tree, which of course is a bad idea anyway, but was an > aspect of the original managed Ant project type. Speaking as the > architect of that system, it should be deprecated and removed from the > default download. (If a viable version of Maven or Ivy had been > available at that time, we would have used it.) > > - > To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org > For additional commands, e-mail: dev-h...@netbeans.apache.org > > For further information about the NetBeans mailing lists, visit: > https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists > > > >
Re: NetBeans and the Octopus
A further note: > the malware also infected any JAR files that were available in the project, > such as dependencies—not necessarily just build artifacts If I understand correctly what is being said here, this kind of attack only makes sense for a build system which keeps binary dependencies in the source tree, which of course is a bad idea anyway, but was an aspect of the original managed Ant project type. Speaking as the architect of that system, it should be deprecated and removed from the default download. (If a viable version of Maven or Ivy had been available at that time, we would have used it.) - To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org For additional commands, e-mail: dev-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: NetBeans and the Octopus
Was just reading this myself. Seems to be specific to managed Ant-based projects, not (say) Maven or Gradle or freeform Ant. As far as I can tell, NetBeans itself is not at fault, this is just a virus that infects a type of build system, pretty much all of which presume that the build is running in the user’s process namespace and thus that all build scripts are trusted. Some more modern build could use containers to sandbox build steps I suppose; typically this is done for CI systems and not for developer environments (pending things like GitPod and GitHub’s new in-browser IDE becoming more widespread). - To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org For additional commands, e-mail: dev-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
NetBeans and the Octopus
What's all this, then? https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain -- Glenn Holmer (Linux registered user #16682) "After the vintage season came the aftermath -- and Cenbe." - To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org For additional commands, e-mail: dev-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists