This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 253955 - Only obsolete MD5 sums are provided for netbeans installer
Summary: Only obsolete MD5 sums are provided for netbeans installer
Status: NEW
Alias: None
Product: www
Classification: Unclassified
Component: Downloads (show other bugs)
Version: 8.1
Hardware: All All
: P2 normal (vote)
Assignee: Jan Pirek
URL:
Keywords:
: 250435 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-07-29 16:29 UTC by Coding_Panda
Modified: 2016-09-27 04:17 UTC (History)
3 users (show)

See Also:
Issue Type: ENHANCEMENT
Exception Reporter:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Coding_Panda 2015-07-29 16:29:52 UTC 
I have recently noticed that the only hashsums provided for verifying that the downloaded netbeans installer has not corrupted, and that it has not been tampered with, are MD5 sums.

Although there is not so much of a problem if you are only verifying whether or not the file has corrupted or not, but it is not much use, and should not be used for checking integrity for security reasons. Because MD5 is now highly unrecommended for that kind of use because of MD5 collisions: http://www.mscs.dal.ca/~selinger/md5collision/

So it would be very good if you could, at least in addition to the MD5sum, provide the SHA256sum or SHA512sum of the file as these more modern methods are not known for the same problems as MD5.
Comment 1 Jiri Kovalsky 2015-08-19 22:38:43 UTC 
Is this still the case? And were you talking about 8.1 Beta installer or development builds?
Comment 2 Coding_Panda 2015-08-19 22:56:40 UTC 
Yes it is still the case, and I am talking about the Stable 8.0.2 installer, the 8.1 Beta installer, and the Development Builds as it is the same for all of them.
Comment 3 Coding_Panda 2016-03-05 15:06:46 UTC 
It's been quite a while since I originally filed this report and it is still the case... And it really is unacceptable that such a large project ignores such an important security issue for such a long time... Something urgently needs to be done about this.
Comment 4 Jiri Kovalsky 2016-03-07 10:27:12 UTC 
I do not believe this is the top priority enhancement needed. In my opinion, vast majority of people downloading NetBeans binaries do not check MD5 and just proceed with installation as soon as they download the bits. If this assumption was not the case, this RFE would have been closed as a duplicate of another RFE files many years ago with tens of votes and tens of duplicates while during previous 7 months nobody else complained about insufficiency of MD5 sums.

Hence downgrading to P2.
Comment 5 Coding_Panda 2016-03-07 10:44:07 UTC 
But it is still important to provide strong HASHSUMS for those who do check, with your argument you might as well not even provide MD5SUMS. You could at least just replace MD5SUMS with SHA256SUMS, I don't see how that would put you all out so much... You have to generate the MD5SUMS and put them up there, so it's not going to be very difficult to just change that to generating SHA256SUMS...

Really, this is a bad excuse for bad security, if you are going to provide any HASHSUMS to verify file integrity, they should at least be secure against known issues.

Actually, a better security method for verifying file integrity would be to sign the file, but judging by your attitude towards modern secure HASHSUMS being used instead of insecure ones, it is probably even less likely to happen.
Comment 6 Jiri Kovalsky 2016-03-07 13:04:48 UTC 
Since we sign both NBM files and installer binaries we think that MD5 checksums together with Oracle signatures provide enough security for users.
Comment 7 amobilia 2016-09-27 04:17:00 UTC 
*** Bug 250435 has been marked as a duplicate of this bug. ***