Yes, those builds are valid. Yet they have nothing to do with Apache. Can you stop writing in this thread and discuss in the other thread instead, i.e., the one with Oracle engineers included?
Thanks, Gj On Wed, Sep 6, 2017 at 3:21 PM, Alvin Thompson <[email protected]> wrote: > Especially since there's nothing on netbeans.org <http://netbeans.org/> > to lead people to believe these builds aren't still valid... > > > > On Sep 6, 2017, at 9:19 AM, Alvin Thompson <[email protected]> > wrote: > > > > Interesting--the daily builds are still working on the original site and > are producing builds, which seem to have differences between them: > > > > http://bits.netbeans.org/download/trunk/nightly/latest/ < > http://bits.netbeans.org/download/trunk/nightly/latest/> > > > > Should these be shut down? > > > > > >> On Sep 6, 2017, at 2:37 AM, Geertjan Wielenga < > [email protected] <mailto:[email protected]>> > wrote: > >> > >> Please understand that there are no development builds yet for Apache > >> NetBeans. There is no code yet in the Apache NetBeans repo and hence no > >> builds at all. > >> > >> Thanks, > >> > >> Gj > >> > >> On Wed, 6 Sep 2017 at 01:06, Alvin Thompson <[email protected] > <mailto:[email protected]>> wrote: > >> > >>> Currently on macOS, trying to install the development builds by > >>> double-clicking on the installer results in an error, because the > installer > >>> is not signed. To continue, you must bypass this error by > right-clicking on > >>> the installer and selecting "open" from the menu, and confirm that you > want > >>> to run an app from an untrusted source. The downside is that without > the > >>> signature there's no way to know if the installer was altered or > replaced. > >>> > >>> The development builds used to be signed, and they probably should > still > >>> be signed since the installer requires 'root'-like privileges on > macOS, and > >>> prompts you for an admin password to continue. > >>> > >>> Once admin access is granted, the installer can do anything to the > system, > >>> therefore the installer should be signed (they used to be). Currently > users > >>> are getting used to allowing an installer--that could be altered or > >>> replaced by an attacker--root access to their system, simply because > it is > >>> named "NetBeans" and they trust the name. Bad! > >>> > >>> I called this a "reminder" because I assumed that this issue had been > >>> brought up previously. The build used to be broken because it no > longer has > >>> access to Oracle's key for signing. Someone "fixed" this by changing > the > >>> build to not sign the installer. > >>> > >>> -Alvin > >>> > >>> > >>>> On Sep 5, 2017, at 6:07 PM, Geertjan Wielenga < > >>> [email protected] <mailto:geertjan.wielenga@ > googlemail.com>> wrote: > >>>> > >>>> Not sure about the reminder part -- can you point to an issue that > you're > >>>> referring to here and a way to reproduce or somehow reproduce this? > >>>> > >>>> Gj > >>>> > >>>> On Tue, Sep 5, 2017 at 10:48 PM, Alvin Thompson < > [email protected] <mailto:[email protected]> > >>>> > >>>> wrote: > >>>> > >>>>> I figure I'd write an annoying reminder that currently the installer > (at > >>>>> least on macOS) requires admin privileges, but is not signed. This > >>> provides > >>>>> an inviting target for someone to alter the installer with malicious > >>>>> content, especially since the NetBeans brand enjoys a high "trust" > >>> factor > >>>>> so many developers will not think twice about installing it. If a > trojan > >>>>> can happen in Apple's Xcode, it can happen here. Let's not get people > >>> used > >>>>> to trusting an unsigned NetBeans installer. > >>>>> > >>>>> Is there any chance we can get these things signed again? > >>>>> > >>>>> -Alvin > >>>>> > >>>>> > >>> > >>> > > > >
