You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@netbeans.apache.org by GitBox <gi...@apache.org> on 2021/03/21 14:51:11 UTC

[GitHub] [netbeans] matthiasblaesing edited a comment on pull request #2822: Offer to trust and prime the project when it is being opened.

matthiasblaesing edited a comment on pull request #2822:
URL: https://github.com/apache/netbeans/pull/2822#issuecomment-803595974


   > But the security report as reported and accepted asked to acquire explicit consent from the user on project load before executing any code. [...] I don't like the default checked - maybe I've done too much on online consent where this wouldn't be valid - opt-in vs opt-out. If they're both happy, then fine with me.
   
   Yes - the security issue was explicitly, that the IDE executes foreign code without the users explicit consent and with an option, that default to "enabled", we IMHO would revert to that state. It would be interesting to know:
   
   How do other IDEs handle this? I don't see how you could analyse gradle projects without executing them. If I'm not mistaken other ecosystems are even worse, for maven and gradle fetching the artifacts is a pretty save operation (https downloads), while for example npm runs builds as part of dependency installation (_not_ the project build).
   
   So this might be better brought to dev@. Then in in the future we can reference that discussion and the decision from that and not get this again as a security issue.
   
   > Personally, I think what's proposed would have been a sensible approach to the issue in the first place, assuming raised as a feature request and no security issue had been accepted / CVE created.
   
   Yes - at that time I remember, that I was surprised, that that matter was brought to Apache Security and not to the Apache NetBeans PMC and this gave it a bit of awkward spin. That might also be the explanation of the personal issues, that were raised.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists