[ https://issues.apache.org/jira/browse/NETBEANS-240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16325548#comment-16325548 ]
Markus Kilås commented on NETBEANS-240: --------------------------------------- Oh, okay yes that could be a bigger topic. But wouldn't that then be the same issue also for the other modules? For instance in the plugin portal I see that there are updates (i.e. for "IDE Platform", "Docker UI", "Local Tasks" and Ant) and those can be installed directly without any warning. They seems to be signed certificates. I would assume the same process could be use to also sign the nb-javac library and we wouldn't have this issue, no? > Potential system compromise: nb-javac library unsigned > ------------------------------------------------------ > > Key: NETBEANS-240 > URL: https://issues.apache.org/jira/browse/NETBEANS-240 > Project: NetBeans > Issue Type: Bug > Reporter: Markus Kilås > Priority: Critical > > During startup of NetBeans the user is prompted to choose a javac library. > However, the recommended one, nbjavac, is fetched over an insecure connection > (both plugin metadata and the actually binaries are fetched over HTTP from > bits.netbeans.org and lahoda.info) and the binaries are unsigned. > The plugin system does the right thing and warns the user about the unsigned > plugins. However, if the user anyway ignores the warnings the system could > easily be compromised. The risk of choosing the insecure alternative is also > larger due to that the user gets very mixed messages as the insecure option > is first "Highly recommended" and then there is a warning that it is > "potentially insecure". > Binary being fetched from lahoda.info on HTTP port 80: > {noformat} > GET /netbeans/nb-javac-auc/org-netbeans-modules-nbjavac.nbm HTTP/1.1 > Cache-Control: no-cache > Pragma: no-cache > User-Agent: Java/1.8.0_151 > Host: lahoda.info > Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 > Connection: keep-alive > HTTP/1.1 200 OK > Content-Type: application/octet-stream > Accept-Ranges: bytes > Content-Length: 17626 > Date: Mon, 01 Jan 2018 17:49:45 GMT > Server: lighttpd/1.4.42 > PK.. > ........K................META-INF/....PK.. > ... > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org For additional commands, e-mail: commits-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists