On 6/15/22 3:05 AM, Neil C Smith wrote:
I can think of at least one person who checks the diff between source bundle and git repository when voting - that could be made more explicit in the voting instructions perhaps?
That verification of every file (every line!) in the source release seems critical to me. The source code in our repository is essentially just the source code for the source code.
Although those source changes are trivial, it's also the perfect opportunity to introduce a supply-chain attack by adding a malicious change during the build.
Has anyone made an attempt to create a reproducible build of NetBeans so that we could detect such an attack? Starting with version 19, the build of OpenJDK itself is reproducible. That means the build of any pure-Java application can be reproducible now, too!
JDK 19+21 early-access build is reproducible https://lists.reproducible-builds.org/pipermail/rb-general/2022-May/002565.html Then anyone could verify our build of NetBeans with: $ git clone https://github.com/apache/netbeans.git $ cd netbeans $ git switch release140 $ export SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) $ ant build -Dmetabuild.branch=release140 Or using our current two-step process: $ git clone https://github.com/apache/netbeans.git $ cd netbeans $ git switch release140 $ export SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) $ ant build-source-config -Dcluster.config=release \ -Dbuildnum=666 -Dmetabuild.branch=release140 $ ant -f build-release-temp/build.xml build -Dcluster.config=release \ -Ddo.build.windows.launchers=true -Dmetabuild.branch=release140 John --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
