Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclips

[Alexander Fedorov <alexander.fedorov@xxxxxxxxxx>]

    > Orbit essentially is like Maven Central
    
    In that case I don't understand why do we need Orbit at all. With
    the latest announcements regarding tycho capabilities from Christoph
    + lack of resources to support Orbit in safe form it seems to be
    useless. 
    
    Regards,
    AF

1/13/2022 1:29 PM, Gunnar Wagenknecht пишет:

On Jan 13, 2022, at 10:55, Aleksandar Kurtakov <akurtako@xxxxxxxxxx> wrote:

IMHO, people should actively remove content from Orbit that has CVEs. Much like with any other project. Even without replacing it with a fixed version. We will be better with less but trusted content than questioning ourselves for each artifact.

Agreed. There is usually a clean-up/removal of unneeded stuff. But the downloads are still available for projects consuming the repositories. 

>[...] That is definitely something 
> new, since Orbit was a trusted source of 3rd party libraries for many 
> years.

That's a misconception. Orbit essentially is like Maven Central. Instead of Maven Artifacts it distributes Eclipse plug-in artifacts. Maven Central still distributes the vulnerable Log4j version and ton of other libraries with CVEs. Does that make it a less trustworthy source now? I don't think so. Consumers still need to stay on top of those.

-Gunnar

-- 
Gunnar Wagenknecht
gunnar@xxxxxxxxxxxxxxx, http://guw.io/

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev