You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@netbeans.apache.org by GitBox <gi...@apache.org> on 2021/03/21 11:56:38 UTC

[GitHub] [netbeans] JaroslavTulach commented on pull request #2822: Offer to trust and prime the project when it is being opened.

JaroslavTulach commented on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-803564054


   > I think (the checkbox) should be selected by default 
   
   Yes, that's what I believe in as well. 
   
   >> Checked by default is not explicit consent.
   
   I believe pressing the "Open Project" button is explicit enough.
   
   > explicit user consent was made ... in response to (CVE) security report, and....
   
   It is great to see even the CVE reporter agrees with _Open Project_ dialog with a checkbox being good enough.
   
   > but perhaps also accompanied by a global setting somewhere allowing it to be unselected by default by some users?
   
   Both the _"Trust"_ & _"Open required projects"_ settings are persisted for the next time. E.g. it is only about initial default. And yes, I can...
   
   > tooltip on that checkbox
   > _A project's build script might execute foreign code with the full permission of your user account_
   > _Trust the project's build script_
   
   ...change the wording and add a tooltip. Great idea!
   
   > ...I ... have received a notification
   
   Guys, I am not sure what you have done to each other, but neither me nor my PR wants to be part of your personal dispute. I have CCed Emilian to see whether such _checkbox solution_ to his CVE is still perceived OK. It seems Emilian perceives it that way.
   
   Thank you all for your reviews!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists