You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@netbeans.apache.org by Glenn Holmer <ce...@kolabnow.com.INVALID> on 2020/05/29 13:25:29 UTC
NetBeans and the Octopus
What's all this, then?
https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
--
Glenn Holmer (Linux registered user #16682)
"After the vintage season came the aftermath -- and Cenbe."
Re: NetBeans and the Octopus
Posted by John Kostaras <jk...@gmail.com>.
https://www.zdnet.com/article/github-warns-java-developers-of-new-malware-poisoning-netbeans-projects/
On Fri, 29 May 2020 at 15:46, Jesse Glick <ty...@gmail.com> wrote:
> A further note:
>
> > the malware also infected any JAR files that were available in the
> project, such as dependencies—not necessarily just build artifacts
>
> If I understand correctly what is being said here, this kind of attack
> only makes sense for a build system which keeps binary dependencies in
> the source tree, which of course is a bad idea anyway, but was an
> aspect of the original managed Ant project type. Speaking as the
> architect of that system, it should be deprecated and removed from the
> default download. (If a viable version of Maven or Ivy had been
> available at that time, we would have used it.)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> For additional commands, e-mail: dev-help@netbeans.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
>
Re: NetBeans and the Octopus
Posted by Jesse Glick <ty...@gmail.com>.
A further note:
> the malware also infected any JAR files that were available in the project, such as dependencies—not necessarily just build artifacts
If I understand correctly what is being said here, this kind of attack
only makes sense for a build system which keeps binary dependencies in
the source tree, which of course is a bad idea anyway, but was an
aspect of the original managed Ant project type. Speaking as the
architect of that system, it should be deprecated and removed from the
default download. (If a viable version of Maven or Ivy had been
available at that time, we would have used it.)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: NetBeans and the Octopus
Posted by Jesse Glick <ty...@gmail.com>.
Was just reading this myself. Seems to be specific to managed
Ant-based projects, not (say) Maven or Gradle or freeform Ant. As far
as I can tell, NetBeans itself is not at fault, this is just a virus
that infects a type of build system, pretty much all of which presume
that the build is running in the user’s process namespace and thus
that all build scripts are trusted. Some more modern build could use
containers to sandbox build steps I suppose; typically this is done
for CI systems and not for developer environments (pending things like
GitPod and GitHub’s new in-browser IDE becoming more widespread).
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists