I went ahead and pushed the naive addition of reload4j 1.2.19 disguised as bundle org.apache.log4j to Orbit https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190574 feel free to change this if someone finds out how to use EBR to only sign the upstream artefact.
-Matthias On Tue, Feb 8, 2022 at 4:04 PM Dirk Fauth via cross-project-issues-dev < cross-project-issues-dev@eclipse.org> wrote: > Well, from my point of view the usage of reload4j is the only backwards > compatible solution. Unfortunately not for every case, e.g. too strict > version ranges. The solution forward is of course the usage of a log > wrapper to decouple development from deployment. > > Anyhow I don't know how to add a bundle jar signed and unchanged to Orbit. > I am only aware of the re-bundling via EBR. Doing that will cause a change > in the jar structure that causes for example logpresso to identify a CVE, > although it is fixed. Which is actually only an issue in the detection. But > that was one of the reasons why I contacted the reload4j project to change > the base to avoid the re-bundling. > > Anyone who knows how to only sign and publish to Orbit without > re-bundling? > > Ed Merks <ed.me...@gmail.com> schrieb am Di., 8. Feb. 2022, 15:54: > >> Dirk, >> >> Thanks. That's really great! It would be great for this release cycle >> if it were jar signed and available from Orbit so that we could ship it >> with 2022-03... >> >> There are people who are concerned: >> >> >> https://www.eclipse.org/forums/index.php/mv/msg/1109656/1849775/#msg_1849775 >> >> Though I'm not sure if they would consider the problem being fixed in >> 1.2.19 a fact and even if its a fact if it would be a fact that matters... >> >> Regards, >> Ed >> >> On 08.02.2022 15:48, Dirk Fauth via cross-project-issues-dev wrote: >> >> Hi, >> >> I got in contact with the reload4j team. They changed the >> Bundle-SymbolicName to org.apache.log4j and fixed several OSGi meta data >> related issues in the meanwhile. Today they published 1.2.19 which should >> work as a drop-in replacement in Eclipse based applications where >> Require-Bundle was used. My local tests worked so far. >> >> That said, re-bundling for Orbit should not be necessary as reload4j >> could directly be consumed via Maven Central. >> >> Just wanted to keep you updated. >> >> Greez, >> Dirk >> >> Ed Willink <ed.will...@gmail.com> schrieb am Mi., 26. Jan. 2022, 13:47: >> >>> Hi >>> >>> On 26/01/2022 07:48, Christoph Läubrich wrote: >>> > Why not using SLF4J in all places and let the user choose the >>> > implementation with their favorite CVEs? >>> >>> Use of SLF4J has been suggested before and so I tried to be a good >>> Eclipse citizen. My failed attempts are described in: >>> >>> https://bugs.eclipse.org/bugs/show_bug.cgi?id=559532 >>> >>> If SLF4J is to be used, can someone please ensure that the platform is >>> fit for purpose and that there is a good tutorial on how to do really >>> boring logging. >>> >>> Regards >>> >>> Ed Willink >>> >>> >>> -- >>> This email has been checked for viruses by Avast antivirus software. >>> https://www.avast.com/antivirus >>> >>> _______________________________________________ >>> cross-project-issues-dev mailing list >>> cross-project-issues-dev@eclipse.org >>> To unsubscribe from this list, visit >>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>> >> >> _______________________________________________ >> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >> >> _______________________________________________ >> cross-project-issues-dev mailing list >> cross-project-issues-dev@eclipse.org >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >> > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
