This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
Summary: | Only obsolete MD5 sums are provided for netbeans installer | ||
---|---|---|---|
Product: | www | Reporter: | Coding_Panda |
Component: | Downloads | Assignee: | Jan Pirek <jpirek> |
Status: | NEW --- | ||
Severity: | normal | CC: | Coding_Panda, mr_lou_d, pgebauer |
Priority: | P2 | ||
Version: | 8.1 | ||
Hardware: | All | ||
OS: | All | ||
Issue Type: | ENHANCEMENT | Exception Reporter: |
Description
Coding_Panda
2015-07-29 16:29:52 UTC
Is this still the case? And were you talking about 8.1 Beta installer or development builds? Yes it is still the case, and I am talking about the Stable 8.0.2 installer, the 8.1 Beta installer, and the Development Builds as it is the same for all of them. It's been quite a while since I originally filed this report and it is still the case... And it really is unacceptable that such a large project ignores such an important security issue for such a long time... Something urgently needs to be done about this. I do not believe this is the top priority enhancement needed. In my opinion, vast majority of people downloading NetBeans binaries do not check MD5 and just proceed with installation as soon as they download the bits. If this assumption was not the case, this RFE would have been closed as a duplicate of another RFE files many years ago with tens of votes and tens of duplicates while during previous 7 months nobody else complained about insufficiency of MD5 sums. Hence downgrading to P2. But it is still important to provide strong HASHSUMS for those who do check, with your argument you might as well not even provide MD5SUMS. You could at least just replace MD5SUMS with SHA256SUMS, I don't see how that would put you all out so much... You have to generate the MD5SUMS and put them up there, so it's not going to be very difficult to just change that to generating SHA256SUMS... Really, this is a bad excuse for bad security, if you are going to provide any HASHSUMS to verify file integrity, they should at least be secure against known issues. Actually, a better security method for verifying file integrity would be to sign the file, but judging by your attitude towards modern secure HASHSUMS being used instead of insecure ones, it is probably even less likely to happen. Since we sign both NBM files and installer binaries we think that MD5 checksums together with Oracle signatures provide enough security for users. *** Bug 250435 has been marked as a duplicate of this bug. *** |