Re: Netbeans and malware article

2020-05-30 Thread zeugme 
Hi,

I like the wording. In fact, it is more a Github project maintainer issue
that didn't filtered a new file on his repo.
The fact this repo was based on an IDE and that the threatening file
exploit this infirmation could lead to more risk using source code from
public repo, with Netbeans or not.
So the blog entry could also suggest the start of an IDE proper tech answer
to mitigate this risk.
I think all IDE will have to provide something to mitigate this risk
otherwise, the open source will be at risk.

Providing an answer is something to do right now to inject trust.

On Sat, 30 May 2020 at 15:57, Emma Atkinson 
wrote:

> I wouldn't treat this as a negative thing about which to be defensive. It
> can be positive and show the team in a good light.
>
> Here's a suggestion
>
> We are aware of news report ... etc.
> We contacted the researchers behind the news.  They found 26 infected
> projects. The owners have been contacted and their accounts have been made
> private, which we think is the correct action.
> We contacted the researcher who has given us some additional information.
> We will examine the information to identify whether there is anything we
> could add or change to Netbeans. There appears to be no need for urgent
> action ahead of the imminent release of Netbeans IDE version 12.
>
> Perhaps add.
>
> We welcome suggestions from Netbeans  users. Please send your constructive
> proposals and suggestions to .
>
> Then give the key details of the problems uncovered.
>
>
> Just a suggestion.
>
> Emma
>
>
>
>
> On Sat, 30 May 2020, 14:11 Geertjan Wielenga,  wrote:
>
>>
>> OK, I’ll put together a blog we can refer to that will say this —
>> “research has been done on GitHub that identified 26 small Ant-based Java
>> projects, mostly games, some of them by the same person, none of the
>> projects appeared to be enterprise/professional, that had been infiltrated
>> by malware. The projects have been set to private on GitHub and the project
>> owners have been approached about this. The malware campaign has had very
>> low impact and is considered by GitHub to be over.”
>>
>> Most of the above is not in the research article, but comes from me
>> asking repeated questions on Twitter to the guy behind tbe report.
>>
>> Gj
>>
>>
>> On Sat, 30 May 2020 at 13:57, Emilian Bold 
>> wrote:
>>
>>> Note this is not a CVE since it's not a NetBeans vulnerability.
>>>
>>> Executing any build will run with the local user privileges on any
>>> popular IDE and injecting something dubious in a build is trivial.
>>>
>>> Still, I think GitHub could have approached the Apache security team so
>>> the NetBeans PMC has a reply to this.
>>>
>>> It would be trivial to push a check for that cache.dat file but it's not
>>> the role of the IDE to play at being an antivirus.
>>>
>>> --emi
>>>
>>> sâm., 30 mai 2020, 14:03 Geertjan Wielenga  a
>>> scris:
>>>

 It seems to me like we should put out a blog entry with some response
 to this. Just so that we have a central point to refer to when people ask
 about this.

 However, I have no idea what that blog entry should say, beyond “if
 someone wants to do so, they can inject malware into the build process of
 software, here’s an example of how they can do that”, and then point to
 that report.

 Gj

 On Sat, 30 May 2020 at 12:08, Emma Atkinson 
 wrote:

> Should someone from the Apache Netbeans governing team, approach
> Microsoft for information on this matter?
>
> I would have thought Microsoft GitHub would welcome any approach that
> might go some way toward tackling the problem.  Knowing details should
> enable the Netbeans and NetbeansIDE communities to help. It would also be
> good for the public to know Apache Netbeans takes these matters as
> seriously as Oracle would have done.  Be on the front foot.
>
> This might be a matter of reducing risk rather than eliminating a
> vulnerability.  Any fix may not involve much effort. Perhaps a written or
> updated guide might be all that is needed. If the contaminated accounts
> belong to computer science students, perhaps some changes to Apache
> Netbeans IDE defaults, or added warnings would help users avoid 
> inadvertent
> contamination of their code or build environments from untrusted origins. 
> A
> general lesson in good practice perhaps.
>
> Emma
>
>
> On Sat, 30 May 2020, 09:32 Emilian Bold, 
> wrote:
>
>> I'm leaning towards this being a student project honestly. Why would a
>> company developing a legacy project grab random unknown Ant-based
>> projects from GitHub?
>>
>> But NetBeans is used a lot for teaching and I suspect teachers don't
>> introduce Maven / Gradle since they are more complex and they use the
>> default Ant-based build system.
>>
>> So, if a smart student wants to troll his fellow students it does

Re: [java] [tomcat] Is there a trick to deploying a web app to Tomcat?

2020-05-29 Thread zeugme 
Yes, I can confirm.
There is a bug on Tomcat launch with previous version of NB, at least
version 11.
It works fine with version 12 beta.

On Wed, 27 May 2020 at 07:42, Geertjan Wielenga  wrote:

>
> Can you try this scenario with 12.0 Beta 5? There has been a recent fix in
> this area.
>
> bit.ly/download-12-0-beta-5
>
> Gj
>
> On Wed, 27 May 2020 at 04:25, René Aravena  wrote:
>
>> Hi, I had that problem with the apache-tomcat-9.0.35 (last) version, I
>> went back to the apache-tomcat-9.0.30 and it worked ok, however I didn't
>> have time to investigate what it was about.
>> Maybe if you just need it to work the deployment this information will be
>> useful.
>>
>> René Aravena
>>
>>
>> El mar., 26 de may. de 2020 a la(s) 21:11, Matt Baron (
>> mbaron.netbe...@fastmail.com) escribió:
>>
>>> Software: NetBeans 11.3, Tomcat 8.8.55.
>>>
>>> I have a simple, out of the box Maven web/servlet app that is
>>> effectively a "Hello world" app.
>>>
>>> When I set it up to run in a Wildfly or GlassFish server it deploys and
>>> runs fine, with no special configuration other than setting up the "Server"
>>> in NetBeans.
>>>
>>> When I set it up to run in Tomcat, the entire deployment  (as in when I
>>> hit the Run button) seems to hang.  It will start the Tomcat server, but
>>> the war file is never copied anywhere in $CATALINA_HOME.  The NetBeans GUI
>>> hourglasses, saying "Waiting for tomcat", despite the Catalina log saying
>>> the server started just fine.
>>>
>>> If I manually copy the war file to $CATALINA_HOME/webapps, Tomcat will
>>> automatically deploy the war file with no issues.
>>>
>>> Any ideas on how to get this to work?
>>>
>>>
>>>
>>>

Re: When will 12.0 be released?

2020-05-18 Thread zeugme 
Done.
I'm happy the Tomcat bug is corrected on NB 12 (I tested it).
For perf, no difference I was able to notice.
Beta 2 was not stable. Beta 4 is stable for me.

I don't know why some plugin are downloaded the first time. This just
didn't work on beta 3.
It had work perfectly using beta 4.
I'm on Mac 10.11.8, something tag as old now.

Feel free to ask for anything specific to test on beta 4 if I can help ...

On Mon, 18 May 2020 at 09:02, Ty Young  wrote:

>
> On 5/18/20 12:55 AM, Geertjan Wielenga wrote:
>
> Hi all,
>
> Apache NetBeans 12.0 will be released once many of you:
>
> 1. Download beta 4: http://bit.ly/download-12-0-beta-4
>
> 2. Try it out. Here is an overview of the newest features, though
> incomplete:
>
> https://cwiki.apache.org/confluence/display/NETBEANS/Apache+NetBeans+12.0
>
> 3. Fill in this very quick survey: bit.ly/12-0-community-acceptance-survey
>
> Thanks!
>
>
> I could share this on Reddit if you'd like. Not everyone is subscribed to
> the mailing lists afterall.
>
>
>
> Gj
>
>

Re: Geertjan Wielenga has invited you to join a Slack workspace

2020-05-15 Thread zeugme 
Thank you, it work fine !

On Fri, 15 May 2020 at 15:31, Slack  wrote:

> Join NetBeans on Slack
>
> Geertjan Wielenga (geertjan.​wielenga@googlemail.​com) has invited you to
> join the Slack workspace *NetBeans*. Join now to start collaborating!
> Join Now
> 
>
> 
> Workspace name: NetBeans
> *NetBeans*
> Workspace URL: netbeans.slack.com
>   Made by Slack Technologies, Inc 
> 500 Howard Street | San Francisco, CA 94105 | United States
>   Our Blog Policies 
>

Re: Netbeans Slack channel

2020-05-15 Thread zeugme 
Hi Peter,

Probably more a Slack global "feature" on invitation link that had expired.
Once an invitation is sent, it is not link to a user.

Anyone on both Slack and this list here?
Could it be possible to send a fresh invitation link, please?

On Fri, 15 May 2020 at 11:08, Peter Steele  wrote:

> Probably because the person who created the original invite is not on
> slack anymore.
>
> That is one thing discord is much better at
>
> On Fri, 15 May 2020, 09:48 zeugme,  wrote:
>
>> Hi,
>>
>> I'd like to join Slack chan mentioned here, but the link is deprecated.
>> https://netbeans.apache.org/community/mailing-lists.html
>> This doc page use this link that, in turn, lead to a deprecated link:
>> https://tinyurl.com/netbeans-slack-signup
>> The full deprecated link underneath is here:
>>
>> https://netbeans.slack.com/join/shared_invite/enQtMzcyNzM5MjYwMDUxLTg1YmVkMWUxYzlhMTE3NzRiMTM4N2E0Yjc5MDdkYzZkM2Q5ZjI5ZTE5NmE3MTZmNTJlYjBmMGFhOTQwNTM2YmQ
>>
>>
>> Any idea ?
>>
>> Thanks !
>>
>

Netbeans Slack channel

2020-05-15 Thread zeugme 
Hi,

I'd like to join Slack chan mentioned here, but the link is deprecated.
https://netbeans.apache.org/community/mailing-lists.html
This doc page use this link that, in turn, lead to a deprecated link:
https://tinyurl.com/netbeans-slack-signup
The full deprecated link underneath is here:
https://netbeans.slack.com/join/shared_invite/enQtMzcyNzM5MjYwMDUxLTg1YmVkMWUxYzlhMTE3NzRiMTM4N2E0Yjc5MDdkYzZkM2Q5ZjI5ZTE5NmE3MTZmNTJlYjBmMGFhOTQwNTM2YmQ


Any idea ?

Thanks !