[GitHub] [netbeans] emilianbold commented on issue #1260: Adds SHA-512 to external binaries

2019-09-16 Thread GitBox 
emilianbold commented on issue #1260: Adds SHA-512 to external binaries
URL: https://github.com/apache/netbeans/pull/1260#issuecomment-531845527
 
 
   Would be an interesting proof of concept to build a JAR with a colliding
   SHA1 using the https://shattered.io paper and show that if one were to
   control the network / proxy one could basically inject executable code into
   a fresh NetBeans build.
   
   Of course, it cost Google $100,000 beginning of year to find a collision
   but perhaps in a few years it could become cheap enough to run on a GTX.
   
   --emi
   
   
   On Mon, Sep 16, 2019 at 5:30 PM Neil C Smith 
   wrote:
   
   > As this hasn't been updated for NB 11.2 and is likely to drift further
   > away from being mergeable I suggest we close this PR, and open another one
   > as and when it's ready to be merged?
   >
   > —
   > You are receiving this because you were mentioned.
   > Reply to this email directly, view it on GitHub
   > 
,
   > or mute the thread
   > 

   > .
   >
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: notifications-unsubscr...@netbeans.apache.org
For additional commands, e-mail: notifications-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] emilianbold commented on issue #1260: Adds SHA-512 to external binaries

2019-08-12 Thread GitBox 
emilianbold commented on issue #1260: Adds SHA-512 to external binaries
URL: https://github.com/apache/netbeans/pull/1260#issuecomment-520629055
 
 
   Wasn't blaming you. It happened for reasons, can still be frustrating.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: notifications-unsubscr...@netbeans.apache.org
For additional commands, e-mail: notifications-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] emilianbold commented on issue #1260: Adds SHA-512 to external binaries

2019-08-12 Thread GitBox 
emilianbold commented on issue #1260: Adds SHA-512 to external binaries
URL: https://github.com/apache/netbeans/pull/1260#issuecomment-520571716
 
 
   By drop I mean abandon.
   
   BTW, it's quite frustrating that as I committer I made a PR then nicely 
waited in line just so my PR does not get merged for the next release so I have 
to re-do it since it also has conflicts now...


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: notifications-unsubscr...@netbeans.apache.org
For additional commands, e-mail: notifications-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] emilianbold commented on issue #1260: Adds SHA-512 to external binaries

2019-08-12 Thread GitBox 
emilianbold commented on issue #1260: Adds SHA-512 to external binaries
URL: https://github.com/apache/netbeans/pull/1260#issuecomment-520515441
 
 
   I think we can drop this PR, correct? Don't understand why it wasn't merged 
for 11.1...


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: notifications-unsubscr...@netbeans.apache.org
For additional commands, e-mail: notifications-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] emilianbold commented on issue #1260: Adds SHA-512 to external binaries

2019-05-30 Thread GitBox 
emilianbold commented on issue #1260: Adds SHA-512 to external binaries
URL: https://github.com/apache/netbeans/pull/1260#issuecomment-497291265
 
 
   I would prefer to merge this before we add some new libs and I have to 
re-add the SHA512 values.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: notifications-unsubscr...@netbeans.apache.org
For additional commands, e-mail: notifications-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] emilianbold commented on issue #1260: Adds SHA-512 to external binaries

2019-05-26 Thread GitBox 
emilianbold commented on issue #1260: Adds SHA-512 to external binaries
URL: https://github.com/apache/netbeans/pull/1260#issuecomment-496071509
 
 
   We can add the size check later on. SHA-512 is really strong compared to 
SHA-1. I think we'll be good.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: notifications-unsubscr...@netbeans.apache.org
For additional commands, e-mail: notifications-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] emilianbold commented on issue #1260: Adds SHA-512 to external binaries

2019-05-26 Thread GitBox 
emilianbold commented on issue #1260: Adds SHA-512 to external binaries
URL: https://github.com/apache/netbeans/pull/1260#issuecomment-496020352
 
 
   I like the current format but it probably needs some README.
   
   My changes bring it closed to a distinfo file from pkgsrc. See 
https://wiki.netbsd.org/pkgsrc/intro_to_packaging/ where the distinfo file 
looks like:
   
   ```
   SHA1 (osxinfo/de74b8960f27844f7b264697d124411f81a1eab6.tar.gz) = 
83a2838ad95ff73255bea7f496a8cc9aaa4e17ca
   RMD160 (osxinfo/de74b8960f27844f7b264697d124411f81a1eab6.tar.gz) = 
9102eb2a938be38c4adf8cfbf781c04d0844d09a
   Size (osxinfo/de74b8960f27844f7b264697d124411f81a1eab6.tar.gz) = 5981 bytes
   ```
   
   So if we use
   
   ```
   sha-1 filename hashvalue
   sha-256 filename hashvalue
   ```
   
   it's close enough.
   
   Note that I'm still supporting the old format which basically is
   
   ```
   sha1-hash filename
   ```
   
   but I didn't want to replace all those lines with the new format `sha-1 
filename hashvalue` as it would have made the patch really hard to verify...
   
   So, I don't really want to do the extra work for an XML. I don't believe 
there even is a standard we could follow to say we just copy the DTD... These 
files also quite rarely change.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: notifications-unsubscr...@netbeans.apache.org
For additional commands, e-mail: notifications-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists