Just as an information for people that did not get the current status via other channels.
The re-bundled version of reload4j is available in the latest stable build of Eclipse Orbit. Logpresso has added handling for the re-bundled variant and will not detect the vulnerability in its latest version. Christian Dietrich <christian.dietr...@itemis.de> schrieb am Di., 8. Feb. 2022, 17:18: > yes i tried to use the pomDependencies consider features > https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190576 > > https://ci.eclipse.org/orbit/job/gerrit-orbit-recipes/1782/artifact/releng/repository-all/target/repository/ > but i get signing warning and also naming conventions etc > are completely "bogus" > Am 08.02.22 um 17:16 schrieb Ed Merks: > > Christian, > > I *assume *it is not jar signed but rather only has an external PGP > signature. > > Regards,... > Ed > On 08.02.2022 16:48, Christian Dietrich wrote: > > is the orginal signing not enhough? > and what about about.html and other eclipse rule foo. > Am 08.02.22 um 16:32 schrieb Matthias Sohn: > > I went ahead and pushed the naive addition of reload4j 1.2.19 disguised as > bundle org.apache.log4j to Orbit > https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190574 > feel free to change this if someone finds out how to use EBR to only sign > the upstream artefact. > -Matthias > > On Tue, Feb 8, 2022 at 4:04 PM Dirk Fauth via cross-project-issues-dev < > cross-project-issues-dev@eclipse.org> wrote: > >> Well, from my point of view the usage of reload4j is the only backwards >> compatible solution. Unfortunately not for every case, e.g. too strict >> version ranges. The solution forward is of course the usage of a log >> wrapper to decouple development from deployment. >> >> Anyhow I don't know how to add a bundle jar signed and unchanged to >> Orbit. I am only aware of the re-bundling via EBR. Doing that will cause a >> change in the jar structure that causes for example logpresso to identify a >> CVE, although it is fixed. Which is actually only an issue in the >> detection. But that was one of the reasons why I contacted the reload4j >> project to change the base to avoid the re-bundling. >> >> Anyone who knows how to only sign and publish to Orbit without >> re-bundling? >> >> Ed Merks <ed.me...@gmail.com> schrieb am Di., 8. Feb. 2022, 15:54: >> >>> Dirk, >>> >>> Thanks. That's really great! It would be great for this release cycle >>> if it were jar signed and available from Orbit so that we could ship it >>> with 2022-03... >>> >>> There are people who are concerned: >>> >>> >>> https://www.eclipse.org/forums/index.php/mv/msg/1109656/1849775/#msg_1849775 >>> >>> Though I'm not sure if they would consider the problem being fixed in >>> 1.2.19 a fact and even if its a fact if it would be a fact that matters... >>> >>> Regards, >>> Ed >>> >>> On 08.02.2022 15:48, Dirk Fauth via cross-project-issues-dev wrote: >>> >>> Hi, >>> >>> I got in contact with the reload4j team. They changed the >>> Bundle-SymbolicName to org.apache.log4j and fixed several OSGi meta data >>> related issues in the meanwhile. Today they published 1.2.19 which should >>> work as a drop-in replacement in Eclipse based applications where >>> Require-Bundle was used. My local tests worked so far. >>> >>> That said, re-bundling for Orbit should not be necessary as reload4j >>> could directly be consumed via Maven Central. >>> >>> Just wanted to keep you updated. >>> >>> Greez, >>> Dirk >>> >>> Ed Willink <ed.will...@gmail.com> schrieb am Mi., 26. Jan. 2022, 13:47: >>> >>>> Hi >>>> >>>> On 26/01/2022 07:48, Christoph Läubrich wrote: >>>> > Why not using SLF4J in all places and let the user choose the >>>> > implementation with their favorite CVEs? >>>> >>>> Use of SLF4J has been suggested before and so I tried to be a good >>>> Eclipse citizen. My failed attempts are described in: >>>> >>>> https://bugs.eclipse.org/bugs/show_bug.cgi?id=559532 >>>> >>>> If SLF4J is to be used, can someone please ensure that the platform is >>>> fit for purpose and that there is a good tutorial on how to do really >>>> boring logging. >>>> >>>> Regards >>>> >>>> Ed Willink >>>> >>>> >>>> -- >>>> This email has been checked for viruses by Avast antivirus software. >>>> https://www.avast.com/antivirus >>>> >>>> _______________________________________________ >>>> cross-project-issues-dev mailing list >>>> cross-project-issues-dev@eclipse.org >>>> To unsubscribe from this list, visit >>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>> >>> >>> _______________________________________________ >>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org >>> To unsubscribe from this list, visit >>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>> >>> _______________________________________________ >>> cross-project-issues-dev mailing list >>> cross-project-issues-dev@eclipse.org >>> To unsubscribe from this list, visit >>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>> >> _______________________________________________ >> cross-project-issues-dev mailing list >> cross-project-issues-dev@eclipse.org >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >> > > _______________________________________________ > cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev > > > Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle, > Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann > Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman), Harald > Goertz, Eric Swehla > Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24, 44536 Lünen > (Germany) > Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621 > > _______________________________________________ > cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev > > > _______________________________________________ > cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev > > > Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle, > Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann > Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman), Harald > Goertz, Eric Swehla > Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24, 44536 Lünen > (Germany) > Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621 > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
