Hi,
I like the wording. In fact, it is more a Github project maintainer issue
that didn't filtered a new file on his repo.
The fact this repo was based on an IDE and that the threatening file
exploit this infirmation could lead to more risk using source code from
public repo, with Netbeans or
On 5/30/20 8:11 AM, Geertjan Wielenga wrote:
> OK, I’ll put together a blog we can refer to that will say this —
> “research has been done on GitHub that identified 26 small Ant-based
> Java projects, mostly games, some of them by the same person, none of
> the projects appeared to be
Sure, there is no need to be defensive. But, there really isn’t — the
research has identified nothing that NetBeans can do or has any control
over at all. Any project’s build process can be impacted by malware. 26 of
these have been identified on GitHub — which happened to make use of
Ant-based
Yes, this could be good publicity right before the release!
--emi
sâm., 30 mai 2020, 16:57 Emma Atkinson a scris:
> I wouldn't treat this as a negative thing about which to be defensive. It
> can be positive and show the team in a good light.
>
> Here's a suggestion
>
> We are aware of
I wouldn't treat this as a negative thing about which to be defensive. It
can be positive and show the team in a good light.
Here's a suggestion
We are aware of news report ... etc.
We contacted the researchers behind the news. They found 26 infected
projects. The owners have been contacted
OK, I’ll put together a blog we can refer to that will say this — “research
has been done on GitHub that identified 26 small Ant-based Java projects,
mostly games, some of them by the same person, none of the projects
appeared to be enterprise/professional, that had been infiltrated by
malware.
Note this is not a CVE since it's not a NetBeans vulnerability.
Executing any build will run with the local user privileges on any popular
IDE and injecting something dubious in a build is trivial.
Still, I think GitHub could have approached the Apache security team so the
NetBeans PMC has a
LOL, still, why so much enphasis on ant with Netbeans? Just throwing out
ideas but could IDEA be behind this? given Netbeans 12 is around the corner?
It seems to me like we should put out a blog entry with some response to
this. Just so that we have a central point to refer to when people ask
about this.
However, I have no idea what that blog entry should say, beyond “if someone
wants to do so, they can inject malware into the build process of
I have a folder full of jar files.
How do I add these files to my dependencies for a Maven project?
Do I have to manually add each jar ?
Is there a way to add the jars at once?
Thanks,
Ron
Should someone from the Apache Netbeans governing team, approach Microsoft
for information on this matter?
I would have thought Microsoft GitHub would welcome any approach that might
go some way toward tackling the problem. Knowing details should enable the
Netbeans and NetbeansIDE communities
I'm leaning towards this being a student project honestly. Why would a
company developing a legacy project grab random unknown Ant-based
projects from GitHub?
But NetBeans is used a lot for teaching and I suspect teachers don't
introduce Maven / Gradle since they are more complex and they use the
12 matches
Mail list logo
