Especially since there's nothing on netbeans.org <http://netbeans.org/> to lead people to believe these builds aren't still valid...
> On Sep 6, 2017, at 9:19 AM, Alvin Thompson <[email protected]> wrote: > > Interesting--the daily builds are still working on the original site and are > producing builds, which seem to have differences between them: > > http://bits.netbeans.org/download/trunk/nightly/latest/ > <http://bits.netbeans.org/download/trunk/nightly/latest/> > > Should these be shut down? > > >> On Sep 6, 2017, at 2:37 AM, Geertjan Wielenga >> <[email protected] <mailto:[email protected]>> >> wrote: >> >> Please understand that there are no development builds yet for Apache >> NetBeans. There is no code yet in the Apache NetBeans repo and hence no >> builds at all. >> >> Thanks, >> >> Gj >> >> On Wed, 6 Sep 2017 at 01:06, Alvin Thompson <[email protected] >> <mailto:[email protected]>> wrote: >> >>> Currently on macOS, trying to install the development builds by >>> double-clicking on the installer results in an error, because the installer >>> is not signed. To continue, you must bypass this error by right-clicking on >>> the installer and selecting "open" from the menu, and confirm that you want >>> to run an app from an untrusted source. The downside is that without the >>> signature there's no way to know if the installer was altered or replaced. >>> >>> The development builds used to be signed, and they probably should still >>> be signed since the installer requires 'root'-like privileges on macOS, and >>> prompts you for an admin password to continue. >>> >>> Once admin access is granted, the installer can do anything to the system, >>> therefore the installer should be signed (they used to be). Currently users >>> are getting used to allowing an installer--that could be altered or >>> replaced by an attacker--root access to their system, simply because it is >>> named "NetBeans" and they trust the name. Bad! >>> >>> I called this a "reminder" because I assumed that this issue had been >>> brought up previously. The build used to be broken because it no longer has >>> access to Oracle's key for signing. Someone "fixed" this by changing the >>> build to not sign the installer. >>> >>> -Alvin >>> >>> >>>> On Sep 5, 2017, at 6:07 PM, Geertjan Wielenga < >>> [email protected] <mailto:[email protected]>> >>> wrote: >>>> >>>> Not sure about the reminder part -- can you point to an issue that you're >>>> referring to here and a way to reproduce or somehow reproduce this? >>>> >>>> Gj >>>> >>>> On Tue, Sep 5, 2017 at 10:48 PM, Alvin Thompson <[email protected] >>>> <mailto:[email protected]> >>>> >>>> wrote: >>>> >>>>> I figure I'd write an annoying reminder that currently the installer (at >>>>> least on macOS) requires admin privileges, but is not signed. This >>> provides >>>>> an inviting target for someone to alter the installer with malicious >>>>> content, especially since the NetBeans brand enjoys a high "trust" >>> factor >>>>> so many developers will not think twice about installing it. If a trojan >>>>> can happen in Apple's Xcode, it can happen here. Let's not get people >>> used >>>>> to trusting an unsigned NetBeans installer. >>>>> >>>>> Is there any chance we can get these things signed again? >>>>> >>>>> -Alvin >>>>> >>>>> >>> >>> >
