Thank you, Matthias!
Re-posting your message to collect more feedback regarding:
should we replace 2.15.0 with 2.16.0 in Orbit?
Regards,
AF
12/15/2021 11:06 AM, Matthias Sohn пишет:
On Sat, Dec 11, 2021 at 8:36 PM Matthias Sohn
<matthias.s...@gmail.com> wrote:
On Sat, Dec 11, 2021 at 11:35 AM Gunnar Wagenknecht
<gun...@wagenknecht.org> wrote:
Alexander,
On Dec 11, 2021, at 10:16, Alexander Fedorov
<alexander.fedo...@arsysop.ru> wrote:
It would be great to learn vulnerability clean-up process
with Eclipse Orbit team to then apply it to Eclipse Passage.
There is no Orbit team. Orbit is driven by project committers
using/needing libraries in Orbit.
I encourage the Eclipse Passage project to submit a Gerrit
review for a newer version.
considering the buzz around this vulnerability I went ahead and
pushed an update to log4j 2.15 for orbit
https://git.eclipse.org/r/c/orbit/orbit-recipes/+/188768
note that the required clearlydefined score isn't reached yet, if
this doesn't change soon
maybe someone can contribute the missing information to
clearlydefined or
we file CQs to get the license approval for the new version
since the log4j project published another release 2.16.0 adding more
fixes for CVE-2021-44228
I pushed another update for Orbit:
https://git.eclipse.org/r/c/orbit/orbit-recipes/+/188862
and contributed curations to the corresponding clearlydefined entries
You can also try a new way as described by Mickael here:
https://www.eclipse.org/lists/orbit-dev/msg05509.html
-Gunnar
_______________________________________________
orbit-dev mailing list
orbit-...@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/orbit-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
