Apache NetBeans is an integrated development environment (IDE) for Java, with extensions for PHP, C, C++, HTML5, JavaScript, and other languages. This project builds Snap packages of NetBeans directly from its source repository on GitHub. These packages are strictly confined, running in complete isolation with only limited access to your system. See the Install and Usage sections below for details.
The table below provides a summary of the support for Git version control and the Apache Ant, Apache Maven, and Gradle build tools in this strictly-confined environment:
Tool | Support | Comment |
---|---|---|
Git | ✓ | Works, but uses only the local Git repository configuration file. See notes below. |
Ant | ✓ | Works as expected. |
Maven | ✓ | Works, but uses alternative locations for the Maven user settings file and local repository directory. See notes below. |
Gradle | ❌ | Does not work. |
If you require the full use of Git or Gradle from within NetBeans, you'll need to download and install the unconfined official release instead of the Strictly NetBeans Snap package. If, like me, you prefer to run Git in the Terminal outside of NetBeans and use only the Apache Ant and Apache Maven build tools, you should be able to use Strictly NetBeans for your software development. See the Usage section below for important instructions on how to avoid problems.
This project is one of four that I created to gain control of my development environment:
-
OpenJDK - Current JDK release and early-access builds
-
OpenJFX - Current JavaFX release and early-access builds
-
Strictly Maven - Apache Maven™ in a strictly-confined snap
-
Strictly NetBeans - Apache NetBeans® in a strictly-confined snap
Install the Strictly NetBeans Snap package with the command:
$ sudo snap install strictly-netbeans
The Snap package is strictly confined and adds only the following interfaces to its permissions:
- the desktop interfaces to run as a graphical desktop application,
- the home interface to read and write files under your home directory,
- the network interface to download NetBeans plugins and Maven artifacts,
- the network-bind interface to listen on local server sockets, and
- the optional mount-observe interface to enable Git support for the project repository.
When you install Strictly NetBeans, it will automatically install the OpenJDK Snap package and connect to it for its Java Development Kit (JDK). You can also install the OpenJDK Snap package manually with the command:
$ sudo snap install openjdk
After both packages are installed, you'll see the following interface among their list of connections:
$ snap connections strictly-netbeans
Interface Plug Slot Notes
content[jdk-19-1804] strictly-netbeans:jdk-19-1804 openjdk:jdk-19-1804 -
You can also connect them manually with the command:
$ sudo snap connect strictly-netbeans:jdk-19-1804 openjdk:jdk-19-1804
You can use a different JDK by disconnecting the OpenJDK Snap package and setting the JAVA_HOME
environment variable. Because the Strictly NetBeans Snap package is strictly confined, the JDK must be located under a non-hidden folder of your home directory. For example:
$ sudo snap disconnect strictly-netbeans:jdk-19-1804
$ export JAVA_HOME=$HOME/opt/jdk-20
$ strictly-netbeans
The steps in building the packages are open and transparent so that you can gain trust in the process that creates them instead of having to put all of your trust in their publisher.
Each step of the build process is documented below:
- Build File - the Snapcraft build file that creates the package
- Source Code - the release branches used to obtain the NetBeans source code
- Snap Package - information about the package and its latest builds on Launchpad
- Store Listing - the listing for the package in the Snap Store
The Launchpad build farm runs each build in a transient container created from trusted images to ensure a clean and isolated build environment. Snap packages built on Launchpad include a manifest that lets you verify the build and identify its dependencies.
Each Strictly NetBeans package provides a software bill of materials (SBOM) and a link to its build log. This information is contained in a file called manifest.yaml
in the directory /snap/strictly-netbeans/current/snap
. The image-info
section of the manifest provides a link to the package's page on Launchpad with its build status, including the complete log file from the container that ran the build. You can use this information to verify that the Strictly NetBeans Snap package installed on your system was built from source on Launchpad using only the software in Ubuntu 18.04 LTS.
For example, I'll demonstrate how I verify the Strictly NetBeans Snap package installed on my system at the time of this writing. The snap info
command shows that I installed Strictly NetBeans version 15 with revision 10:
$ snap info strictly-netbeans
...
channels:
latest/stable: 15 2022-09-15 (10) 551MB -
latest/candidate: ↑
latest/beta: ↑
latest/edge: ↑
installed: 15 (10) 551MB -
The following command prints the build information from the manifest file:
$ grep -A3 image-info /snap/strictly-netbeans/current/snap/manifest.yaml
image-info:
build-request-id: lp-73868090
build-request-timestamp: '2022-09-06T19:00:24Z'
build_url: https://launchpad.net/~jgneff/+snap/strictly-netbeans/+build/1872566
The build_url
in the manifest is a link to the page on Launchpad with the package's Build status and Store status. The store status shows that Launchpad uploaded revision 10 to the Snap Store, which matches the revision installed on my system. The build status shows a link to the log file with the label buildlog.
The end of the log file contains a line with the SHA512 checksum of the package just built, shown below with the checksum edited to fit on this page:
Snapping...
Snapped strictly-netbeans_15_multi.snap
727134069ab142f0...a6b6168a7394b768 strictly-netbeans_15_multi.snap
Revoking proxy token...
The command below prints the checksum of the package installed on my system:
$ sudo sha512sum /var/lib/snapd/snaps/strictly-netbeans_10.snap
727134069ab142f0...a6b6168a7394b768 /var/lib/snapd/snaps/strictly-netbeans_10.snap
The two checksum strings are identical. Using this procedure, I verified that the Strictly NetBeans Snap package installed on my system and the Strictly NetBeans Snap package built and uploaded to the Snap Store by Launchpad are in fact the exact same package. For more information, see Launchpad Bug #1979844, "Allow verifying that a snap recipe build corresponds to a store revision."
First, verify that the Strictly NetBeans Snap package is working and connected to the OpenJDK Snap package by starting it from the command line:
$ strictly-netbeans
WARNING: package com.apple.eio not in java.desktop
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.netbeans.TopSecurityManager
(file:/snap/strictly-netbeans/10/netbeans/platform/lib/boot.jar)
WARNING: Please consider reporting this to the maintainers of org.netbeans.TopSecurityManager
WARNING: System::setSecurityManager will be removed in a future release
You should be presented with the Apache NetBeans window. If instead you see the error message printed below, make sure that the OpenJDK Snap package is installed and connected as described previously in the Install section.
$ strictly-netbeans
Cannot find java. Please use the --jdkhome switch.
The Snap package does not have access to hidden files or folders in your home directory, so it uses the following alternative locations for the NetBeans user settings and user cache directories:
Apache NetBeans Default | Strictly NetBeans Alternative |
---|---|
~/.netbeans |
~/snap/strictly-netbeans/current |
~/.cache/netbeans |
~/snap/strictly-netbeans/common |
You need to make two changes for Git to work:
- Move the user-specific "global" configuration file to its secondary location.
- Enable the permission to "Read system mount information and disk quotas."
You can make both changes with the following two commands:
$ mv ~/.gitconfig ~/.config/git/config
$ sudo snap connect strictly-netbeans:mount-observe
These changes are explained in detail below.
The Strictly NetBeans Snap package has no access to the primary user-specific "global" configuration file ~/.gitconfig
. As a result, you may see error messages like the following when you first open a project that is also a Git repository:
java.io.FileNotFoundException: /home/john/.gitconfig (Permission denied)
NetBeans fails to recover from the error, essentially disabling all of its Git support. There could be a way to make NetBeans use an alternative location for the file, but its Eclipse JGit library does not yet support the environment variable GIT_CONFIG_GLOBAL
that would make this possible.
There is, however, a small change you can make to avoid the error. The JGit library looks for the global configuration file only in its primary location. If you move the file to its secondary location, you will hide it from JGit while still being able to use it for normal Git commands outside of NetBeans:
$ mv ~/.gitconfig ~/.config/git/config
This change lets JGit avoid the error and continue to load the local repository-specific configuration file .git/config
in the project's directory. You won't be able to perform Git operations in NetBeans that require values of variables from the global configuration, such as user.name
and user.email
, but you'll still be able to see the Git history along with any changes in the editor since the last commit. For everything else, I simply run the Git commands in the Terminal outside of NetBeans.
After moving the global configuration file to its secondary location, you'll then encounter the following error:
java.io.IOException: Mount point not found
To avoid this error, connect the optional mount-observe
plug to its core slot with the following command:
$ sudo snap connect strictly-netbeans:mount-observe
Alternatively, you can enable the permission to "Read system mount information and disk quotas" in either the Ubuntu Software or GNOME Software application.
This permission lets the JGit library determine whether the repository's file system is writable. A writable file system lets JGit measure the timestamp resolution and avoid the racy Git problem. JGit saves this information in its configuration file, shown in the example below:
$ cat ~/snap/strictly-netbeans/current/.config/jgit/config
[filesystem "Snap Build|19|/dev/mapper/sda1_crypt"]
timestampResolution = 5498 nanoseconds
minRacyThreshold = 4069 microseconds
Projects using Apache Ant still work in this strictly-confined environment.
Projects using Apache Maven still work in this strictly-confined environment. Note that the Maven user settings file and local repository directory are found in the alternative locations shown below:
Apache NetBeans Default | Strictly NetBeans Alternative |
---|---|
~/.m2/settings.xml |
~/snap/strictly-netbeans/common/settings.xml |
~/.m2/repository |
~/snap/strictly-netbeans/common/repository |
If the Strictly Maven Snap package is also installed, the Strictly NetBeans Snap package connects to it automatically. You can install it with the command:
$ sudo snap install strictly-maven
To use Strictly Maven instead of the Maven release that is bundled with NetBeans, select "Browse..." under Tools > Options > Java > Maven > Execution > Maven Home to open the dialog "Select Maven Installation Location," and then open the directory:
/snap/strictly-netbeans/current/maven
Note: Before building any Maven projects, add the option --strict-checksums
under Tools > Options > Java > Maven > Execution > Global Execution Options. It's best to have Maven fail the build when a downloaded artifact does not match its checksum, yet that is not the default in the current release.
Projects using Gradle do not work in this strictly-confined environment. The Gradle support in NetBeans fails to build or even create a Gradle project when it is denied access to the ~/.gradle
hidden folder in the user's home directory.
Note that Gradle tries to create the hidden folder even when its user home is set to an alternative location. For example, after setting the Gradle User Home to ~/snap/strictly-netbeans/common/gradle
in the panel under Tools > Options > Java > Gradle > Execution, Gradle still tries to create the default ~/.gradle
directory and fails to recover after being denied permission.
You can build the Snap package on Linux by installing Snapcraft on your development workstation. Run the following commands to install Snapcraft, clone this repository, and start building the package:
$ sudo snap install snapcraft --classic
$ git clone https://github.com/jgneff/strictly-netbeans.git
$ cd strictly-netbeans
$ snapcraft
To run the build remotely on Launchpad, enter the command:
$ snapcraft remote-build
See the Snapcraft Overview page for more information about building Snap packages.
This project is licensed under the Apache License 2.0, the same license used by the Apache NetBeans project. See the LICENSE file for details. Apache NetBeans and the NetBeans logo are either registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries.