> On Jan 13, 2022, at 10:55, Aleksandar Kurtakov <akurt...@redhat.com> wrote:
> IMHO, people should actively remove content from Orbit that has CVEs. Much > like with any other project. Even without replacing it with a fixed version. > We will be better with less but trusted content than questioning ourselves > for each artifact. Agreed. There is usually a clean-up/removal of unneeded stuff. But the downloads are still available for projects consuming the repositories. > >[...] That is definitely something > > new, since Orbit was a trusted source of 3rd party libraries for many > > years. That's a misconception. Orbit essentially is like Maven Central. Instead of Maven Artifacts it distributes Eclipse plug-in artifacts. Maven Central still distributes the vulnerable Log4j version and ton of other libraries with CVEs. Does that make it a less trustworthy source now? I don't think so. Consumers still need to stay on top of those. -Gunnar -- Gunnar Wagenknecht gun...@wagenknecht.org, http://guw.io/
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
