Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse: update to 2.16.0?

On Jan 13, 2022, at 10:55, Aleksandar Kurtakov <akurtako@xxxxxxxxxx> wrote:

IMHO, people should actively remove content from Orbit that has CVEs. Much like with any other project. Even without replacing it with a fixed version. We will be better with less but trusted content than questioning ourselves for each artifact.

Agreed. There is usually a clean-up/removal of unneeded stuff. But the downloads are still available for projects consuming the repositories. 

>[...] That is definitely something 
> new, since Orbit was a trusted source of 3rd party libraries for many 
> years.


That's a misconception. Orbit essentially is like Maven Central. Instead of Maven Artifacts it distributes Eclipse plug-in artifacts. Maven Central still distributes the vulnerable Log4j version and ton of other libraries with CVEs. Does that make it a less trustworthy source now? I don't think so. Consumers still need to stay on top of those.

-Gunnar


-- 
Gunnar Wagenknecht
gunnar@xxxxxxxxxxxxxxx, http://guw.io/


Back to the top