This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
I have recently noticed that the only hashsums provided for verifying that the downloaded netbeans installer has not corrupted, and that it has not been tampered with, are MD5 sums. Although there is not so much of a problem if you are only verifying whether or not the file has corrupted or not, but it is not much use, and should not be used for checking integrity for security reasons. Because MD5 is now highly unrecommended for that kind of use because of MD5 collisions: http://www.mscs.dal.ca/~selinger/md5collision/ So it would be very good if you could, at least in addition to the MD5sum, provide the SHA256sum or SHA512sum of the file as these more modern methods are not known for the same problems as MD5.
Is this still the case? And were you talking about 8.1 Beta installer or development builds?
Yes it is still the case, and I am talking about the Stable 8.0.2 installer, the 8.1 Beta installer, and the Development Builds as it is the same for all of them.
It's been quite a while since I originally filed this report and it is still the case... And it really is unacceptable that such a large project ignores such an important security issue for such a long time... Something urgently needs to be done about this.
I do not believe this is the top priority enhancement needed. In my opinion, vast majority of people downloading NetBeans binaries do not check MD5 and just proceed with installation as soon as they download the bits. If this assumption was not the case, this RFE would have been closed as a duplicate of another RFE files many years ago with tens of votes and tens of duplicates while during previous 7 months nobody else complained about insufficiency of MD5 sums. Hence downgrading to P2.
But it is still important to provide strong HASHSUMS for those who do check, with your argument you might as well not even provide MD5SUMS. You could at least just replace MD5SUMS with SHA256SUMS, I don't see how that would put you all out so much... You have to generate the MD5SUMS and put them up there, so it's not going to be very difficult to just change that to generating SHA256SUMS... Really, this is a bad excuse for bad security, if you are going to provide any HASHSUMS to verify file integrity, they should at least be secure against known issues. Actually, a better security method for verifying file integrity would be to sign the file, but judging by your attitude towards modern secure HASHSUMS being used instead of insecure ones, it is probably even less likely to happen.
Since we sign both NBM files and installer binaries we think that MD5 checksums together with Oracle signatures provide enough security for users.
*** Bug 250435 has been marked as a duplicate of this bug. ***