Re: How to build/configure NetBeans for local use

Tue, 14 Jun 2022 12:28:05 -0700 

On 6/14/22 11:28 AM, Ernie Rael wrote:
I built nb based on current delivery branch for local use (I see that release140 is now available). I'd like to know what difference there is from this to what is released. 


I build from the 'release140' branch on GitHub, and below are the 
differences between the sources of that Git branch and the sources used 
to build the official NetBeans release (as of the 14-rc6 date):


$ diff -qr ./ ~/opt/netbeans-14-rc6-src/
Only in ./: contrib
Only in ./cpplite: README.md
Only in /home/john/opt/netbeans-14-rc6-src/: DEPENDENCIES
Only in ./enterprise: performance.javaee
Only in ./enterprise: performance.scripting
Only in ./enterprise: performance.web
Only in ./ergonomics: performance.ergonomics
Only in ./java: build.xml
Only in ./java: performance
Only in ./java: performance.java
Files ./LICENSE and /home/john/opt/netbeans-14-rc6-src/LICENSE differ
Only in /home/john/opt/netbeans-14-rc6-src/: licenses
Only in /home/john/opt/netbeans-14-rc6-src/nbbuild: gitinfo.properties
Only in /home/john/opt/netbeans-14-rc6-src/nbbuild: netbeansrelease.json
Files ./NOTICE and /home/john/opt/netbeans-14-rc6-src/NOTICE differ


It makes me nervous that we're shipping a release of NetBeans that is 
built from source code with no relation to a branch or release tag on 
GitHub. We're losing the cryptographic guarantee on the source code 
provided by the Git commit hashes.



That's how the SolarWinds supply-chain attack happened -- by modifying 
source code files during the build process, away from the eyes of all 
the developers tracking the source code under version control.



I've no idea where/how these changes are made to the repo build for 
release. Where to look?


Look here:

Build #27 (Jun 1, 2022 1:45:59 PM)
https://ci-builds.apache.org/job/Netbeans/job/netbeans-TLP/job/netbeans/job/release140/27/


Download the "consoleText" file from the link called "View as plain 
text" on the left. Then look for the creation of the archive file 
"release-src-666.zip".



You'll find that the sources used to build the official NetBeans release 
are created by this Ant command:


$ ant build-source-config -Dcluster.config=release \
  -Dbuildnum=666 -Dmetabuild.branch=release140

The Ant task is defined here:

target name="build-source-config" ...
https://github.com/apache/netbeans/blob/master/nbbuild/build.xml#L1663

John

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

























					Reply via email to