Re: Apache NetBeans and Apache Struts 1?

[Michael Bien]

didn't see this mail here, I just replied to it on the users list - 
please don't crosspost if possible.


-mbien


On 11.10.23 02:23, Dill, Ryan wrote:

The latest version of Apache NetBeans (19) still distributes Apache Struts 1:


   *   
https://github.com/apache/netbeans/blob/3d20321140ae0c530955b54f1812b1ad883ae15a/enterprise/web.struts/nbproject/project.properties#L58

Apache Struts 1 was EOLed a decade ago:


   *   https://struts.apache.org/struts1eol-announcement.html
   *   https://struts.apache.org/struts1eol-press

Hence, any subsequent bugs or security vulnerabilities found in Struts 1 since 
that time would not have been fixed in the version of Struts distributed with 
modern versions of Apache NetBeans.

I don't know if the continued distribution of Struts 1 with NetBeans 
constitutes an actual vulnerability in NetBeans (since I assume the Struts 
framework is only provided for users to develop new web applications) -- But 
the simple presence of the Struts 1 library files in NetBeans installations 
causes security flags to be raised by third-party security scanning tools that 
our corporation is using, like Rapid 7 (https://www.rapid7.com/).

At the very least, continuing to distribute Struts 1 with NetBeans seems to 
introduce risk that end-users using NetBeans to develop web applications with 
Struts (e.g. as per 
https://netbeans.apache.org/kb/docs/web/quickstart-webapps-struts.html) may end 
up producing a web application with Struts 1 without necessarily know it's EOL, 
creating more risk in their web application than necessary.

Is there a reason that NetBeans is still distributing long-EOLed Struts 1 
instead of something more modern (e.g. Struts 2.5.x, or even Struts 6.x)?

I originally asked this question at the users list at 
us...@netbeans.apache.org, and was told that the reason 
was "because you haven't provided a pull request".

But in the "Committing Code" instructions at 
https://netbeans.apache.org/participate/submit-pr.html, it specifically says "Before starting 
to code, you may want to discuss the problem in the developer mailing list". Please consider 
this to be that discussion.

Just to clarify -- I'm not a NetBeans developer, nor do I know anything at all 
about its codebase -- I'm just trying to confirm from more knowledgeable people 
what the design intent is -- i.e. Is there a legitimate architectural reason 
why Struts 1 is still being distributed.

Thanks.

--
Ryan Dill (he/him) | R Tools and Services | Ciena
cd...@ciena.com | 5050 Innovation Drive | Kanata, ON, K2K 0J2, Canada





-
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Apache NetBeans and Apache Struts 1?

[Dill, Ryan]

The latest version of Apache NetBeans (19) still distributes Apache Struts 1:


  *   
https://github.com/apache/netbeans/blob/3d20321140ae0c530955b54f1812b1ad883ae15a/enterprise/web.struts/nbproject/project.properties#L58

Apache Struts 1 was EOLed a decade ago:


  *   https://struts.apache.org/struts1eol-announcement.html
  *   https://struts.apache.org/struts1eol-press

Hence, any subsequent bugs or security vulnerabilities found in Struts 1 since 
that time would not have been fixed in the version of Struts distributed with 
modern versions of Apache NetBeans.

I don't know if the continued distribution of Struts 1 with NetBeans 
constitutes an actual vulnerability in NetBeans (since I assume the Struts 
framework is only provided for users to develop new web applications) -- But 
the simple presence of the Struts 1 library files in NetBeans installations 
causes security flags to be raised by third-party security scanning tools that 
our corporation is using, like Rapid 7 (https://www.rapid7.com/).

At the very least, continuing to distribute Struts 1 with NetBeans seems to 
introduce risk that end-users using NetBeans to develop web applications with 
Struts (e.g. as per 
https://netbeans.apache.org/kb/docs/web/quickstart-webapps-struts.html) may end 
up producing a web application with Struts 1 without necessarily know it's EOL, 
creating more risk in their web application than necessary.

Is there a reason that NetBeans is still distributing long-EOLed Struts 1 
instead of something more modern (e.g. Struts 2.5.x, or even Struts 6.x)?

I originally asked this question at the users list at 
us...@netbeans.apache.org, and was told that 
the reason was "because you haven't provided a pull request".

But in the "Committing Code" instructions at 
https://netbeans.apache.org/participate/submit-pr.html, it specifically says 
"Before starting to code, you may want to discuss the problem in the developer 
mailing list". Please consider this to be that discussion.

Just to clarify -- I'm not a NetBeans developer, nor do I know anything at all 
about its codebase -- I'm just trying to confirm from more knowledgeable people 
what the design intent is -- i.e. Is there a legitimate architectural reason 
why Struts 1 is still being distributed.

Thanks.

--
Ryan Dill (he/him) | R Tools and Services | Ciena
cd...@ciena.com | 5050 Innovation Drive | Kanata, ON, K2K 0J2, Canada

Re: [VOTE] Release lib.profiler natives version 1-24aefa9

[Antonio]

+1 (binding)

Checked SHAsums and GPG signatures. Proper NOTICE/LICENSE. Sources 
include headers (*)


Looks good to me. Thanks all!

(*) /profiler/lib.profiler/native/README.txt doesn't have a license 
header, but that's ok.


On 10/10/23 20:57, Matthias Bläsing wrote:

This is a vote on the lib.profiler native binaries. As the binary
artefacts are consumed by the IDE build, we need to release them
separately when they need updating.

The main purpose of this version is to allow us to ship Apple Silicon
support for the profiler in NetBeans 20.

Voting artifacts are to be found here:
https://dist.apache.org/repos/dist/dev/netbeans/native/netbeans-profiler/1-r24aefa9/

Primary voting artefact :
https://dist.apache.org/repos/dist/dev/netbeans/native/netbeans-profiler/1-r24aefa9/profiler-external-binaries-1-24aefa9.zip
SHA512: 
fc8cd47aed268f6d98d3603e892632a8d0a14aaab68f62f05c807bf0a756ad9904ee4e5ad0f5a9e10168b71cf478cb57e229a49d002948b2239681df26df3392

Zipped binary artefacts:
https://dist.apache.org/repos/dist/dev/netbeans/native/netbeans-profiler/1-r24aefa9/profiler-external-binaries-1-24aefa9.zip
SHA512: 
bf4095f4df8781c9745c3ac60cfc1af3fcab06bfbb476fba86915056377c704ca70a8611c9b2e6c0963adbed260c7218b541787e3355b1548dcd5ddb7f730107

Once released the binaries will be consumed by the IDE.  A draft PR,
including dev build, using the staged artefacts is at
https://github.com/apache/netbeans/pull/6502 (PR demonstrates
principle, version is different).

The source and binary artefacts were created in GitHub actions run
https://github.com/apache/netbeans/actions/runs/6448227185 using the
workflow at
https://github.com/apache/netbeans/actions/runs/6448227185/workflow

The workflow extracts the necessary parts of the NetBeans repository
into the source bundle, then passes the source bundle to the various
different OS runners to build the binaries.  See the workflow file for
how to build from source on each OS.

This vote is going to be open at least 72 hours. Vote with +1, 0, and
-1 as usual. Please mark your vote with (binding) if you're an Apache
NetBeans PMC member.

Many thanks everyone,

Best wishes,

Matthias

-
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists





-
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Re: [VOTE] Release dlight.nativeexecution natives version 1-24aefa9

[Antonio]

+1 (binding)

Checked SHAsums and GPG signatures. Proper NOTICE/LICENSE. Sources 
include headers.


Looks good to me. Thanks all!


On 10/10/23 20:57, Matthias Bläsing wrote:

This is a vote on the dlight.nativeexecution native binaries. As the
binary artefacts are consumed by the IDE build, we need to release them
separately when they need updating.

The main purpose of this version is to allow us to ship Apple Silicon
support for the terminal in NetBeans 20.

Voting artifacts are to be found here:
https://dist.apache.org/repos/dist/dev/netbeans/native/netbeans-nativeexecution/1-r24aefa9/

Primary voting artefact:
https://dist.apache.org/repos/dist/dev/netbeans/native/netbeans-nativeexecution/1-r24aefa9/nativeexecution-external-sources-1-24aefa9.zip
SHA512: 
3617769041f2883ef522770d237ee30cbd2844b8b89eb466c3020247a151ac450615394705bae9291a8c452fb65199d2e765e45327776fc21af69ef20ddf5d44

Zipped binary artefacts:
https://dist.apache.org/repos/dist/dev/netbeans/native/netbeans-nativeexecution/1-r24aefa9/nativeexecution-external-binaries-1-24aefa9.zip
SHA512: 
429b5ada5be9bf02b6aaa3da94880296c4052e036e805c64d114ac3bbe47f057a1b19251904ec1fefc3c21a24b8dbf553bbc9813fe717b9f4c94caf2c585e7e5

Once released the binaries will be consumed by the IDE.  A draft PR,
including dev build, using the staged artefacts for Apple Silicon only
is at https://github.com/apache/netbeans/pull/6521 (PR demonstrates
principle, version is different).

The source and binary artefacts were created in GitHub actions run
https://github.com/apache/netbeans/actions/runs/6448227183 using the
workflow at
https://github.com/apache/netbeans/actions/runs/6448227183/workflow

The workflow extracts the necessary parts of the NetBeans repository
into the source bundle, then passes the source bundle to the various
different OS runners to build the binaries.  See the workflow file for
how to build from source on each OS (only macOS and Linux at present).

This vote is going to be open at least 72 hours. Vote with +1, 0, and
-1 as usual. Please mark your vote with (binding) if you're an Apache
NetBeans PMC member.

Many thanks everyone,

Best wishes,

Matthias

-
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists





-
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[VOTE] Release dlight.nativeexecution natives version 1-24aefa9

[Matthias Bläsing]

This is a vote on the dlight.nativeexecution native binaries. As the
binary artefacts are consumed by the IDE build, we need to release them
separately when they need updating.

The main purpose of this version is to allow us to ship Apple Silicon
support for the terminal in NetBeans 20.

Voting artifacts are to be found here:
https://dist.apache.org/repos/dist/dev/netbeans/native/netbeans-nativeexecution/1-r24aefa9/

Primary voting artefact:
https://dist.apache.org/repos/dist/dev/netbeans/native/netbeans-nativeexecution/1-r24aefa9/nativeexecution-external-sources-1-24aefa9.zip
SHA512: 
3617769041f2883ef522770d237ee30cbd2844b8b89eb466c3020247a151ac450615394705bae9291a8c452fb65199d2e765e45327776fc21af69ef20ddf5d44

Zipped binary artefacts:
https://dist.apache.org/repos/dist/dev/netbeans/native/netbeans-nativeexecution/1-r24aefa9/nativeexecution-external-binaries-1-24aefa9.zip
SHA512: 
429b5ada5be9bf02b6aaa3da94880296c4052e036e805c64d114ac3bbe47f057a1b19251904ec1fefc3c21a24b8dbf553bbc9813fe717b9f4c94caf2c585e7e5

Once released the binaries will be consumed by the IDE.  A draft PR,
including dev build, using the staged artefacts for Apple Silicon only
is at https://github.com/apache/netbeans/pull/6521 (PR demonstrates
principle, version is different).

The source and binary artefacts were created in GitHub actions run
https://github.com/apache/netbeans/actions/runs/6448227183 using the
workflow at
https://github.com/apache/netbeans/actions/runs/6448227183/workflow

The workflow extracts the necessary parts of the NetBeans repository
into the source bundle, then passes the source bundle to the various
different OS runners to build the binaries.  See the workflow file for
how to build from source on each OS (only macOS and Linux at present).

This vote is going to be open at least 72 hours. Vote with +1, 0, and
-1 as usual. Please mark your vote with (binding) if you're an Apache
NetBeans PMC member.

Many thanks everyone,

Best wishes,

Matthias

-
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[VOTE] Release lib.profiler natives version 1-24aefa9

[Matthias Bläsing]

This is a vote on the lib.profiler native binaries. As the binary
artefacts are consumed by the IDE build, we need to release them
separately when they need updating.

The main purpose of this version is to allow us to ship Apple Silicon
support for the profiler in NetBeans 20.

Voting artifacts are to be found here:
https://dist.apache.org/repos/dist/dev/netbeans/native/netbeans-profiler/1-r24aefa9/

Primary voting artefact :
https://dist.apache.org/repos/dist/dev/netbeans/native/netbeans-profiler/1-r24aefa9/profiler-external-binaries-1-24aefa9.zip
SHA512: 
fc8cd47aed268f6d98d3603e892632a8d0a14aaab68f62f05c807bf0a756ad9904ee4e5ad0f5a9e10168b71cf478cb57e229a49d002948b2239681df26df3392

Zipped binary artefacts:
https://dist.apache.org/repos/dist/dev/netbeans/native/netbeans-profiler/1-r24aefa9/profiler-external-binaries-1-24aefa9.zip
SHA512: 
bf4095f4df8781c9745c3ac60cfc1af3fcab06bfbb476fba86915056377c704ca70a8611c9b2e6c0963adbed260c7218b541787e3355b1548dcd5ddb7f730107

Once released the binaries will be consumed by the IDE.  A draft PR,
including dev build, using the staged artefacts is at
https://github.com/apache/netbeans/pull/6502 (PR demonstrates
principle, version is different).

The source and binary artefacts were created in GitHub actions run
https://github.com/apache/netbeans/actions/runs/6448227185 using the
workflow at
https://github.com/apache/netbeans/actions/runs/6448227185/workflow

The workflow extracts the necessary parts of the NetBeans repository
into the source bundle, then passes the source bundle to the various
different OS runners to build the binaries.  See the workflow file for
how to build from source on each OS.

This vote is going to be open at least 72 hours. Vote with +1, 0, and
-1 as usual. Please mark your vote with (binding) if you're an Apache
NetBeans PMC member.

Many thanks everyone,

Best wishes,

Matthias

-
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Re: [DISCUSS] Native binary handling (or, does NetBeans have a future on macOS?)

[Neil C Smith]

On Sun, 8 Oct 2023 at 15:48, Matthias Bläsing
 wrote:
> Am Mittwoch, dem 04.10.2023 um 20:44 +0100 schrieb Neil C Smith:
> > If the vote doesn't pass then someone else will need to do the
> > various PRs (I'm tied up most of next week), or we delay freeze, or
> > we have another release without Apple Silicon support?
>
> I'm willing to give releasing the native artifacts a try.
>
> So would you be willing to close the first set of votes? Then I would
> call a vote on:
>
> 1-24aefa99e4f366699431e3e85e6b1127e966a151
>
> That is the release, that holds the merge of the modified built.

Thanks Matthias.

Votes are closed properly and I've unstaged the previous artefacts.

A complete change of plan for me this week due to a return visit from
the lovely Mr Corona means I will be near both the machine with my
signing keys and an M1 Mac.  Can test these, or handle some things if
needed.  Let me know.

Incidentally, IMO let's make the version -

1-r24aefa9 (as before) or 1-24aefa9

The 7 character hash as shown on the workflow summary should be fine,
and the resulting urls are long enough already (given hash will be in
path twice)?

Best wishes,

Neil

-
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[CANCELLED][VOTE] Release lib.profiler natives version 1-r2196e46

[Neil C Smith]

This vote was cancelled due to issues raised with the binary artefact.
New vote to follow.

Thanks,

Neil

-
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[CANCELLED][VOTE] Release dlight.nativeexecution natives version 1-reb9e96d

[Neil C Smith]

This vote was cancelled due to issues raised with the binary artefact.
New vote to follow.

Thanks,

Neil

-
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Re: [VOTE] Release dlight.nativeexecution natives version 1-reb9e96d

[Neil C Smith]

This vote is cancelled along with the profiler native binaries vote.

Revised voting artefacts and new vote thread to follow.

Neil

On Wed, 4 Oct 2023 at 11:27, Neil C Smith  wrote:
>
> This is a vote on the dlight.nativeexecution native binaries. As the
> binary artefacts are consumed by the IDE build, we need to release
> them separately when they need updating.
>
> The main purpose of this version is to allow us to ship Apple Silicon
> support for the terminal in NetBeans 20.
>
> Primary voting artefact :
> https://dist.apache.org/repos/dist/dev/netbeans/native/netbeans-nativeexecution/1-reb9e96d/nativeexecution-external-sources-1-reb9e96d.zip
> SHA : 
> ca4f322b7dc78fb2cd083dddf46195c98514b818a2e01d2ac5f54f389f51274b13e6d5bff124b36062acf01a01544778cd902df779df44513ca4b4d2e7770394
>
> Alongside the source artefact are the zipped binary artefacts :
>
> https://dist.apache.org/repos/dist/dev/netbeans/native/netbeans-nativeexecution/1-reb9e96d/
>
> Once released the binaries will be consumed by the IDE.  A draft PR,
> including dev build, using the staged artefacts for Apple Silicon only
> is at https://github.com/apache/netbeans/pull/6521
>
> The source and binary artefacts were created in GitHub actions run
> https://github.com/apache/netbeans/actions/runs/6395128403 using the
> workflow at 
> https://github.com/apache/netbeans/actions/runs/6395128403/workflow
>
> The workflow extracts the necessary parts of the NetBeans repository
> into the source bundle, then passes the source bundle to the various
> different OS runners to build the binaries.  See the workflow file for
> how to build from source on each OS (only macOS and Linux at present).
>
> NB. Like the open lib.profiler vote, the binary zip does not contain a
> notice or license file.  There are a number of reasons for this.  It
> will be addressed in future updates of these workflows and how the zip
> is consumed.  The binaries are internal, not directly public facing,
> and only used by a source build of NetBeans that already contains said
> license and notice files.
>
> This vote is going to be open at least 72 hours. Vote with +1, 0, and
> -1 as usual. Please mark your vote with (binding) if you're an Apache
> NetBeans PMC member.
>
> Many thanks everyone,
>
> Best wishes,
>
> Neil

-
To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists