[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse: update to 2.16.0?
|
> Orbit essentially is like Maven Central
In that case I don't understand why do we need Orbit at all. With
the latest announcements regarding tycho capabilities from Christoph
+ lack of resources to support Orbit in safe form it seems to be
useless.
Regards,
AF
1/13/2022 1:29 PM, Gunnar Wagenknecht
пишет:
IMHO, people should actively remove
content from Orbit that has CVEs. Much like with any
other project. Even without replacing it with a fixed
version. We will be better with less but trusted
content than questioning ourselves for each artifact.
Agreed. There is usually a clean-up/removal of unneeded stuff.
But the downloads are still available for projects consuming the
repositories.
>[...] That is definitely
something
> new, since Orbit was a trusted source of 3rd
party libraries for many
> years.
That's a misconception. Orbit essentially is like
Maven Central. Instead of Maven Artifacts it distributes Eclipse
plug-in artifacts. Maven Central still distributes the
vulnerable Log4j version and ton of other libraries with CVEs.
Does that make it a less trustworthy source now? I don't think
so. Consumers still need to stay on top of those.
-Gunnar
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev