Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclips

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?

From: Christoph Läubrich <laeubi@xxxxxxxxxxxxxx>
Date: Wed, 15 Dec 2021 10:11:45 +0100
Delivered-to: cross-project-issues-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/cross-project-issues-dev/>
List-help: <mailto:cross-project-issues-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0

> However, I would vote for one feature per CVE, given 2
> reasons:

I just don't know if it is possible to present the user with a list of(new) CVE features to suggest to install them.

I think one crucial part would be that the user is actively informedabout new problems.

Anyways for sure we can add support for that in P2 and eclipse UI butthat would require some code changes.

That's why I try to get creative how to archive something with existingcodebase :-)


> I would expect that there is a chance of such a feature not being
> installable on some installations due to conflicting requirements.

Well that's actually the idea here, if there is a conflict P2 willsuggest two solutions:


- uninstall the dangerous stuff and install the CVE mitigation
- do not install the CVE mitigation and keep the current installation

at least that's the theory ;-)

Am 15.12.21 um 07:52 schrieb Michael Keppler:

Am 13.12.2021 um 18:03 schrieb Christoph Läubrich:


yep that's what I have had in mind, I think it would be cool to have
one global feature "CVE Mitigation" or something and this
requires/includes individual CVE features that ship with appropriate
p2.inf items.
Thus way, once added to an IDE this will enable us to make CVE fixes
available tor a broad audience and make people more aware of them
through the update capabilities of eclipse itself.


Sounds great. However, I would vote for one feature per CVE, given 2
reasons:

Some companies are rather reluctant to change previously certified tool
chains, and might want to include fix A, but not fix B (because they can
explain why it does not affect them).

I would expect that there is a chance of such a feature not being
installable on some installations due to conflicting requirements. The
more CVEs (and requirements) included, the higher that chance. It would
be good if such conflict would not prohibit installing the other fixes.
I might be wrong about this item.

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx

To unsubscribe from this list, visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

References:
- [cross-project-issues-dev] log4j vulnerability in Eclipse?
  - From: Denis Roy
- Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
  - From: Matthew Khouzam
- Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
  - From: Denis Roy
- Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
  - From: Ed Merks
- Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
  - From: Denis Roy
- Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
  - From: Ed Merks
- Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
  - From: Alexander Fedorov
- Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
  - From: Gunnar Wagenknecht
- Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
  - From: Matthias Sohn
- Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
  - From: Gunnar Wagenknecht
- Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
  - From: Ed Merks
- Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
  - From: Alexander Fedorov
- Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
  - From: Ed Merks
- Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
  - From: Christoph Läubrich
- Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
  - From: Ed Merks
- Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
  - From: Christoph Läubrich
- Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
  - From: Michael Keppler

Prev by Date: Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
Next by Date: Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
Previous by thread: Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
Next by thread: Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
Index(es):
- Date
- Thread

Breadcrumbs