You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@netbeans.apache.org by GitBox <gi...@apache.org> on 2021/03/21 07:59:44 UTC

[GitHub] [netbeans] JaroslavTulach opened a new pull request #2822: Offer to trust and prime the project when it is being opened.

JaroslavTulach opened a new pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822


   Sváťa exposed existing Maven concept of priming build as an action in #2795. Support for such action is making its way throughout other project types (#2816) and I believe it is time to use the new API to improve user experience in NetBeans IDE! Let's add a _trust and prime_ checkbox to the following dialog:
   
   ![obrazek](https://user-images.githubusercontent.com/26887752/111897079-1de30000-8a1e-11eb-9fcf-48aa4614880d.png)
   
   NetBeans pays quite a lot of attention to security of its users. NetBeans does its best to shield developers against attacks like [CVE-2020-11986](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11986). Clearly a user consent is needed to execute anything from the build. The IDE cannot execute random scripts when users are searching directories (via Favories) or opening random text files (via CLI or _File/Open_).
   
   However users of other IDEs are surprised by questions that usually arise after a project is opened - it seems that other IDEs consider adding a project into a workspace or opening new window with a project an enough consent to trust the project.
   
   I believe we can do the same in NetBeans. The _File/Open Project_ dialog/action is explicit enough consent to start trusting the project and perform the `COMMAND_PRIME` to download necessary libraries on disk. To stress that the trust is being granted I propose to add a checkbox (selected by default) into the project open dialog.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] JaroslavTulach commented on a change in pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
JaroslavTulach commented on a change in pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#discussion_r598287694



##########
File path: ide/projectui/src/org/netbeans/modules/project/ui/ProjectChooserAccessory.java
##########
@@ -342,6 +359,7 @@ private void setAccessoryEnablement( boolean enable, int numberOfProjects ) {
         jTextFieldProjectName.setEnabled( enable );
         jTextFieldProjectName.setForeground(/* i.e. L&F default */null);
         jCheckBoxSubprojects.setEnabled( enable );
+        jCheckBoxPrime.setEnabled(enable);

Review comment:
       OK: 3a21270




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] neilcsmith-net commented on pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
neilcsmith-net commented on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-803964090


   > Adding a project/folder/etc. to the workspace is treated as a good enough consent to execute the build script ... granting full trust, once the user invokes "File/Open Project...", is more than justified in my opinion.
   
   Unfortunately that is fundamentally the opposite to what we said by accepting, and responding to, the original security report -
   
   > Opening a Gradle project with NetBeans seems to execute code from the project immediately.
   >
   > Users would normally expect that selecting some (build / run) action to execute code from a foreign project, not just the act of cloning and opening the project. Projects may often be opened just to read code.
   
   So, are those other IDE's actually executing code on project open?  Because from what I recall of the conversation on this, I think there was recognition that NetBeans could be doing something different by addressing this concern.
   
   I do like adding the control of this to the open project dialog though.  That's a big improvement.  Could we have off by default, remember the setting, and use notification line support to show a (friendlier) warning message whenever the checkbox is unticked?  Enough info that the user understands that decision.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] emilianbold commented on pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
emilianbold commented on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-803532799


   I think it should be selected by default but perhaps also accompanied by a global setting somewhere allowing it to be unselected by default by some users?
   
   Maybe we could also be smart and pick this based on the project location. Ie. a project in the ~/Downloads folder should get be unchecked by default while a project in a folder we have some history with should be trusted.
   
   Of course, you can imagine scenarios where this reduces overall protection, but from an UX standpoint being overly paranoid handicaps the IDE.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] JaroslavTulach commented on a change in pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
JaroslavTulach commented on a change in pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#discussion_r598283098



##########
File path: ide/projectui/src/org/netbeans/modules/project/ui/ProjectChooserAccessory.java
##########
@@ -174,6 +188,9 @@ public void actionPerformed( ActionEvent e ) {
         if ( e.getSource() == jCheckBoxSubprojects ) {
             OpenProjectListSettings.getInstance().setOpenSubprojects( jCheckBoxSubprojects.isSelected() );
         }
+        if (e.getSource() == jCheckBoxPrime) {
+            OpenProjectListSettings.getInstance().setTrustAndPrime(jCheckBoxPrime.isSelected());

Review comment:
       Poor design by @hrebejk! The values are read in another class, but stored here.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] sdedic edited a comment on pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
sdedic edited a comment on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-803530137


   Could you include some narrative explanation tooltip on that checkbox ? The 'trust' concept may be quite alien for non-gradle people, as Maven users did not deal with the security that much (Maven is much more declarative -> safer).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] sdedic commented on pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
sdedic commented on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-803530137


   Could you include some narrative tooltip on that checkbox ? The 'trust' concept may be quite alien for non-gradle people, as Maven users did not deal with the security that much (Maven is much more declarative -> safer)./


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] jtulach edited a comment on pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
jtulach edited a comment on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-803909768


   Originally I was also fine with the resolution of [CVE-2020-11986](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11986) however then I got feedback from users of other IDEs and they were quite surprised with the scary warning NetBeans IDE shows before opening Gradle project.
   
   > How do other IDEs handle this?
   
   Further investigation showed that all the IDEs - Eclipse, Idea, VSCode - come with a concept of workspace. A set of "opened" projects. Adding a project/folder/etc. to the workspace is treated as a good enough consent to execute the build script. To quote myself:
   
   > I believe we can do the same in NetBeans. The File/Open Project dialog/action is explicit enough consent to start trusting the project and perform the COMMAND_PRIME to download necessary libraries on disk. 
   
   NetBeans shall not trust projects randomly found by searching the disk or opening individual files. However granting full trust, once the user invokes "File/Open Project...", is more than justified in my opinion.
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] emilianbold edited a comment on pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
emilianbold edited a comment on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-803532799


   I think it should be selected by default but perhaps also accompanied by a global setting somewhere allowing it to be unselected by default by some users?
   
   Maybe we could also be smart and pick this based on the project location. Ie. a project in the ~/Downloads folder should be unchecked by default while a project in a folder we have some history with should be trusted.
   
   Of course, you can imagine scenarios where this reduces overall protection, but from an UX standpoint being overly paranoid handicaps the IDE.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] sdedic commented on a change in pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
sdedic commented on a change in pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#discussion_r598294045



##########
File path: ide/projectui/src/org/netbeans/modules/project/ui/OpenProjectList.java
##########
@@ -706,6 +707,12 @@ public void open(Project[] projects, boolean openSubprojects, ProgressHandle han
                 } else {
                     LOGGER.log(Level.WARNING, "Project in {0} disappeared", p.getProjectDirectory());
                 }
+                if (prime) {
+                    ActionProvider ap = p2.getLookup().lookup(ActionProvider.class);
+                    if (ap != null && ap.isActionEnabled(ActionProvider.COMMAND_PRIME, p2.getLookup())) {
+                        ap.invokeAction(ActionProvider.COMMAND_PRIME, p2.getLookup());

Review comment:
       Understood, but the Prime action may fork the execution into its own RP; it does not necessarily complete synchronously within `invokeAction` scope.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] emilianbold edited a comment on pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
emilianbold edited a comment on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-803531126


   I agree with not being overly paranoid and having that checkbox on by default seems sane.
   
   It would be nice to present this better. A tooltip and/or rewording the checkbox would also make sense. The whole concept of 'prime'-ining is basically foreign to most developers outside (low-level?) Gradle.
   
   How about 'Trust the project's build script' and a tooltip along the lines of 'A project's build script might execute foreign code with the full permission of your user account'


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] JaroslavTulach merged pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
JaroslavTulach merged pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] JaroslavTulach commented on pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
JaroslavTulach commented on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-804088025


   > I do like adding the control of this to the open project dialog though. That's a big improvement. Could we have off by default, 
   
   Done in 14b508b


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] matthiasblaesing commented on pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
matthiasblaesing commented on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-803595974


   > But the security report as reported and accepted asked to acquire explicit consent from the user on project load before executing any code. [...] I don't like the default checked - maybe I've done too much on online consent where this wouldn't be valid - opt-in vs opt-out. If they're both happy, then fine with me.
   
   Yes - the security issue was explicitly, that the IDE executes foreign code without the users explicit consent and with an option, that default to "enabled", we IMHO would revert to that state. It would be interesting to know:
   
   How do other IDEs handle this? I don't see how you could analyse gradle projects without executing them. If I'm not mistaken other ecosystems are even worse, for maven and gradle fetching the artifacts is a pretty save operation (https downloads), while for example npm runs builds as part of dependency installation (_not_ the project build).
   
   So this might be better brought to dev@. Then in in the future we can reference that discussion and the decision from that and not get this again as a security issue.
   
   > Personally, I think what's proposed would have been a sensible approach to the issue in the first place, assuming raised as a feature request and no security issue had been accepted / CVE created.
   
   Yes - at that time I remember, that I was surprised, that that matter was brought to Apache Security and not to the Apache PMC and this gave it a bit of awkward spin. That might also be the explanation of the personal issues, that were raised.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] emilianbold commented on pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
emilianbold commented on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-803543422


   Way to shoot the messenger!
   
   I showed you a proof of concept. How you implemented the fix and how you
   present it to the user was all you.
   
   Having this option now is a vast improvement vs the status quo before the
   security issue.
   
   I wouldn't have commented if I wouldn't have received a notification about
   this. Please don't @ me anymore and you won't hear from me.
   
   --emi
   
   dum., 21 mar. 2021, 10:48 Neil C Smith ***@***.***> a scris:
   
   > @emilianbold <https://github.com/emilianbold> the choice to require
   > explicit user consent was made by the PMC in response to your security
   > report, and in the resulting CVE. Checked by default is not explicit
   > consent. If it's overly paranoid it's because you made it so.
   >
   > IMO this discussion should maybe move back to private@ to reconsider that
   > and see if the balance is right.
   >
   > —
   > You are receiving this because you were mentioned.
   > Reply to this email directly, view it on GitHub
   > <https://github.com/apache/netbeans/pull/2822#issuecomment-803534711>, or
   > unsubscribe
   > <https://github.com/notifications/unsubscribe-auth/AAHSCQV3CSRQPKJMUH7BIB3TEWXHRANCNFSM4ZRJOR7Q>
   > .
   >
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] neilcsmith-net commented on pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
neilcsmith-net commented on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-803531423


   This surely shouldn't be selected by default? At least until the user has had a chance to opt in to always trust. And agree needs description. Better UI would be great, but shouldn't reduce the protection.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] JaroslavTulach commented on a change in pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
JaroslavTulach commented on a change in pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#discussion_r598283313



##########
File path: ide/projectui/src/org/netbeans/modules/project/ui/OpenProjectList.java
##########
@@ -706,6 +707,12 @@ public void open(Project[] projects, boolean openSubprojects, ProgressHandle han
                 } else {
                     LOGGER.log(Level.WARNING, "Project in {0} disappeared", p.getProjectDirectory());
                 }
+                if (prime) {
+                    ActionProvider ap = p2.getLookup().lookup(ActionProvider.class);
+                    if (ap != null && ap.isActionEnabled(ActionProvider.COMMAND_PRIME, p2.getLookup())) {
+                        ap.invokeAction(ActionProvider.COMMAND_PRIME, p2.getLookup());

Review comment:
       Shouldn't load of a full model and set of trust happen as a result of `COMMAND_PRIME`? I believe it happens. As such I wanted to run the priming as soon as possible.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] JaroslavTulach commented on a change in pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
JaroslavTulach commented on a change in pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#discussion_r619574208



##########
File path: java/java.mx.project/src/org/netbeans/modules/java/mx/project/SuiteActionProvider.java
##########
@@ -247,7 +247,7 @@ public boolean isActionEnabled(String action, Lookup context) throws IllegalArgu
             case ActionProvider.COMMAND_DEBUG_SINGLE:
                 return fo != null;
             default:
-                return true;
+                return false;

Review comment:
       This is not good change.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] matthiasblaesing edited a comment on pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
matthiasblaesing edited a comment on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-803595974


   > But the security report as reported and accepted asked to acquire explicit consent from the user on project load before executing any code. [...] I don't like the default checked - maybe I've done too much on online consent where this wouldn't be valid - opt-in vs opt-out. If they're both happy, then fine with me.
   
   Yes - the security issue was explicitly, that the IDE executes foreign code without the users explicit consent and with an option, that default to "enabled", we IMHO would revert to that state. It would be interesting to know:
   
   How do other IDEs handle this? I don't see how you could analyse gradle projects without executing them. If I'm not mistaken other ecosystems are even worse, for maven and gradle fetching the artifacts is a pretty save operation (https downloads), while for example npm runs builds as part of dependency installation (_not_ the project build).
   
   So this might be better brought to dev@. Then in in the future we can reference that discussion and the decision from that and not get this again as a security issue.
   
   > Personally, I think what's proposed would have been a sensible approach to the issue in the first place, assuming raised as a feature request and no security issue had been accepted / CVE created.
   
   Yes - at that time I remember, that I was surprised, that that matter was brought to Apache Security and not to the Apache NetBeans PMC and this gave it a bit of awkward spin. That might also be the explanation of the personal issues, that were raised.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] sdedic commented on a change in pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
sdedic commented on a change in pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#discussion_r598270141



##########
File path: ide/projectui/src/org/netbeans/modules/project/ui/ProjectChooserAccessory.java
##########
@@ -174,6 +188,9 @@ public void actionPerformed( ActionEvent e ) {
         if ( e.getSource() == jCheckBoxSubprojects ) {
             OpenProjectListSettings.getInstance().setOpenSubprojects( jCheckBoxSubprojects.isSelected() );
         }
+        if (e.getSource() == jCheckBoxPrime) {
+            OpenProjectListSettings.getInstance().setTrustAndPrime(jCheckBoxPrime.isSelected());

Review comment:
       Is it OK that the settings here are remembered even if the user cancels the whole Project|Open at the end ? I know the 'Open Required Projects'  is working that way for ages, but remembering an action after Cancel is ... unexpected.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] neilcsmith-net commented on pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
neilcsmith-net commented on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-803583597


   I have no idea what the personal issue is.  But the security report as reported and accepted asked to acquire explicit consent from the user on project load before executing any code.  I've added @matthiasblaesing as a reviewer, as he and Laszlo discussed most of how this should be implemented in the long discussions over this, as well as the CVE filing.  I don't like the default checked - maybe I've done too much on online consent where this wouldn't be valid - opt-in vs opt-out.  If they're both happy, then fine with me.
   
   Personally, I think what's proposed would have been a sensible approach to the issue in the first place, assuming raised as a feature request and no security issue had been accepted / CVE created.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] JaroslavTulach commented on a change in pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
JaroslavTulach commented on a change in pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#discussion_r598287694



##########
File path: ide/projectui/src/org/netbeans/modules/project/ui/ProjectChooserAccessory.java
##########
@@ -342,6 +359,7 @@ private void setAccessoryEnablement( boolean enable, int numberOfProjects ) {
         jTextFieldProjectName.setEnabled( enable );
         jTextFieldProjectName.setForeground(/* i.e. L&F default */null);
         jCheckBoxSubprojects.setEnabled( enable );
+        jCheckBoxPrime.setEnabled(enable);

Review comment:
       OK: commands.get(commandId)




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] JaroslavTulach commented on a change in pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
JaroslavTulach commented on a change in pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#discussion_r598744026



##########
File path: ide/projectui/src/org/netbeans/modules/project/ui/OpenProjectList.java
##########
@@ -706,6 +707,12 @@ public void open(Project[] projects, boolean openSubprojects, ProgressHandle han
                 } else {
                     LOGGER.log(Level.WARNING, "Project in {0} disappeared", p.getProjectDirectory());
                 }
+                if (prime) {
+                    ActionProvider ap = p2.getLookup().lookup(ActionProvider.class);
+                    if (ap != null && ap.isActionEnabled(ActionProvider.COMMAND_PRIME, p2.getLookup())) {
+                        ap.invokeAction(ActionProvider.COMMAND_PRIME, p2.getLookup());

Review comment:
       Is a772b3f OK as a fix?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] JaroslavTulach commented on pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
JaroslavTulach commented on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-803564054


   > I think (the checkbox) should be selected by default 
   
   Yes, that's what I believe in as well. 
   
   >> Checked by default is not explicit consent.
   
   I believe pressing the "Open Project" button is explicit enough.
   
   > explicit user consent was made ... in response to (CVE) security report, and....
   
   It is great to see even the CVE reporter agrees with _Open Project_ dialog with a checkbox being good enough.
   
   > but perhaps also accompanied by a global setting somewhere allowing it to be unselected by default by some users?
   
   Both the _"Trust"_ & _"Open required projects"_ settings are persisted for the next time. E.g. it is only about initial default. And yes, I can...
   
   > tooltip on that checkbox
   > _A project's build script might execute foreign code with the full permission of your user account_
   > _Trust the project's build script_
   
   ...change the wording and add a tooltip. Great idea!
   
   > ...I ... have received a notification
   
   Guys, I am not sure what you have done to each other, but neither me nor my PR wants to be part of your personal dispute. I have CCed Emilian to see whether such _checkbox solution_ to his CVE is still perceived OK. It seems Emilian perceives it that way.
   
   Thank you all for your reviews!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] sdedic commented on a change in pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
sdedic commented on a change in pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#discussion_r598270330



##########
File path: ide/projectui/src/org/netbeans/modules/project/ui/ProjectChooserAccessory.java
##########
@@ -342,6 +359,7 @@ private void setAccessoryEnablement( boolean enable, int numberOfProjects ) {
         jTextFieldProjectName.setEnabled( enable );
         jTextFieldProjectName.setForeground(/* i.e. L&F default */null);
         jCheckBoxSubprojects.setEnabled( enable );
+        jCheckBoxPrime.setEnabled(enable);

Review comment:
       I'd enable iff any of the selected project(s) provides such an action; e.g. Ant projects do not.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] neilcsmith-net commented on pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
neilcsmith-net commented on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-803534711


   @emilianbold the choice to require explicit user consent was made by the PMC in response to your security report, and in the resulting CVE. Checked by default is not explicit consent. If it's overly paranoid it's because you made it so.
   
   IMO this discussion should maybe move back to private@ to reconsider that and see if the balance is right.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] sdedic commented on a change in pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
sdedic commented on a change in pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#discussion_r598269516



##########
File path: ide/projectui/src/org/netbeans/modules/project/ui/OpenProjectList.java
##########
@@ -706,6 +707,12 @@ public void open(Project[] projects, boolean openSubprojects, ProgressHandle han
                 } else {
                     LOGGER.log(Level.WARNING, "Project in {0} disappeared", p.getProjectDirectory());
                 }
+                if (prime) {
+                    ActionProvider ap = p2.getLookup().lookup(ActionProvider.class);
+                    if (ap != null && ap.isActionEnabled(ActionProvider.COMMAND_PRIME, p2.getLookup())) {
+                        ap.invokeAction(ActionProvider.COMMAND_PRIME, p2.getLookup());

Review comment:
       The queries executed below query containment. It could be better to wait for PRIME action to finish, so e.g. gradle has a chance to load its full model and discover the project's content at all.
   




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] jtulach commented on pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
jtulach commented on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-803909768


   Originally I was also fine with the resolution of [CVE-2020-11986](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11986) however then I got feedback from users of other IDEs and they were quite surprised with the scary warning NetBeans IDE shows before opening Gradle project.
   
   > How do other IDEs handle this?
   
   Further investigation showed that all the IDEs - Eclipse, Idea, VSCode - come with a concept of workspace. A set of "opened" projects. Adding a project/folder/etc. to the workspace is treated as a good enough consent. To quote myself:
   
   > I believe we can do the same in NetBeans. The File/Open Project dialog/action is explicit enough consent to start trusting the project and perform the COMMAND_PRIME to download necessary libraries on disk. 
   
   NetBeans shall not trust projects randomly found by searching the disk or opening individual files. However granting full trust, once the user invokes "File/Open Project...", is more than justified in my opinion.
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] emilianbold commented on pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
emilianbold commented on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-803531126


   I agree with not being overly paranoid and having that checkbox on by default seems sane.
   
   It would be nice to present this better. A tooltip and/or rewarding the checkbox would also make sense. The whole concept of 'prime'-ining is basically foreign to most developers outside (low-level?) Gradle.
   
   How about 'Trust the project's build script' and a tooltip along the lines of 'A project's build script might execute foreign code with the full permission of your user account'


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] JaroslavTulach commented on a change in pull request #2822: Offer to trust and prime the project when it is being opened.

Posted by GitBox <gi...@apache.org>.
JaroslavTulach commented on a change in pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#discussion_r619574208



##########
File path: java/java.mx.project/src/org/netbeans/modules/java/mx/project/SuiteActionProvider.java
##########
@@ -247,7 +247,7 @@ public boolean isActionEnabled(String action, Lookup context) throws IllegalArgu
             case ActionProvider.COMMAND_DEBUG_SINGLE:
                 return fo != null;
             default:
-                return true;
+                return false;

Review comment:
       This is not good change and it shall be reverted. See #2915.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists