| Re: [cross-project-issues-dev] Log4j 1.x vulnerability |
Creating a fragment tightly couples it to its implementation and thus
have to scope with its life-time and internal implementation state.
You have two choices:
- make two fragments
- switch to never dependency and don't care about the old
Am 26.01.22 um 08:30 schrieb Dirk Fauth via cross-project-issues-dev:
> @Christian
> Good to hear that you are moving to Import-Package! The fragment in the
> current configuration can actually not be simply fixed with a drop-in
> replacement as your version bounds are too strict. With that
> configuration it won't be ever possible to exchange to a newer bugfix
> version. I would suggest that you at least change this to [1.2.15,1.3)
>
> @Christopher
> I am fighting the Require-Bundle vs Import-Package discussion for years.
> There are unfortunately a few use cases in the Eclipse Platform that
> blocks the clean usage because of split package issues. Still I agree to
> your statement in general, especially with regards to logging
> dependencies which is because of SLF4J one of the best examples.
> But even with Import-Package the fragment issue (e.g. To provide a
> bundled logging configuration or custom log writer) would fail.
>
> Should we have a look at creating a re-bundled reload4j?
>
> Dietrich, Christian <christian.dietrich@xxxxxxxxx
> <mailto:christian.dietrich@xxxxxxxxx>> schrieb am Mi., 26. Jan. 2022, 06:56:
>
> we at Xtext have already a issue to track it on our side
> https://github.com/eclipse/xtext/issues/2028
> <https://github.com/eclipse/xtext/issues/2028>
>
> unfortunately Xtext in the current release has require bundle (if i
> catched them all they should be gone in 2.26.0.M3) but the bigger
> problem is this one here
> https://github.com/eclipse/xtext-eclipse/blob/ffa3cf77753ebc29687768731a5d45416d2b50f1/org.eclipse.xtext.logging/META-INF/MANIFEST.MF#L5
> <https://github.com/eclipse/xtext-eclipse/blob/ffa3cf77753ebc29687768731a5d45416d2b50f1/org.eclipse.xtext.logging/META-INF/MANIFEST.MF#L5>
>
> i guess also some downsteam components in simrel would have to pick
> up a new Xtext release.
> i am not sure how much time i can spent to "pay attention" in feb
> and what the webmaster team will break
> so that i am not sure if it is a good idea to add the new Xtext
> release to simrel
>
> kind regards
> Christian
>
> Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle,
> Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann
> Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman),
> Harald Goertz, Eric Swehla
> Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24, 44536
> Lünen (Germany)
> Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-dev@xxxxxxxxxxx
> <mailto:cross-project-issues-dev@xxxxxxxxxxx>
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
> <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev>
>
>
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev