@Jonah, will you distinguish between "contain" and "pull"

Am 23.02.22 um 18:22 schrieb Jonah Graham:
Hi folks,

The SimRel release will include the reload4j version of the bundle. Most p2 install resolutions will pull in the reload4j version.

However it also includes the 1.2.15 version because of some hard dependencies on the 1.2.15 version (Bug 578940 <https://bugs.eclipse.org/bugs/show_bug.cgi?id=578940> Bug 578941 <https://bugs.eclipse.org/bugs/show_bug.cgi?id=578941>)

When I do the EPP build I will verify/report whether any of the packages contain the 1.2.15 version.

Jonah


~~~
Jonah Graham
Kichwa Coders
www.kichwacoders.com <http://www.kichwacoders.com>


On Wed, 16 Feb 2022 at 03:04, Dirk Fauth via cross-project-issues-dev <cross-project-issues-dev@eclipse.org> wrote:

    Just as an information for people that did not get the current
    status via other channels.

    The re-bundled version of reload4j is available in the latest
    stable build of Eclipse Orbit.

    Logpresso has added handling for the re-bundled variant and will
    not detect the vulnerability in its latest version.

    Christian Dietrich <christian.dietr...@itemis.de> schrieb am Di.,
    8. Feb. 2022, 17:18:

        yes i tried to use the pomDependencies consider features
        https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190576
        
https://ci.eclipse.org/orbit/job/gerrit-orbit-recipes/1782/artifact/releng/repository-all/target/repository/
        but i get signing warning and also naming conventions etc
        are completely "bogus"

        Am 08.02.22 um 17:16 schrieb Ed Merks:

        Christian,

        I *assume *it is not jar signed but rather only has an
        external PGP signature.

        Regards,...
        Ed

        On 08.02.2022 16:48, Christian Dietrich wrote:

        is the orginal signing not enhough?
        and what about about.html and other eclipse rule foo.

        Am 08.02.22 um 16:32 schrieb Matthias Sohn:
        I went ahead and pushed the naive addition of reload4j
        1.2.19 disguised as bundle org.apache.log4j to Orbit
        https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190574
        feel free to change this if someone finds out how to use
        EBR to only sign the upstream artefact.
        -Matthias

        On Tue, Feb 8, 2022 at 4:04 PM Dirk Fauth via
        cross-project-issues-dev
        <cross-project-issues-dev@eclipse.org> wrote:

            Well, from my point of view the usage of reload4j is
            the only backwards compatible solution. Unfortunately
            not for every case, e.g. too strict version ranges. The
            solution forward is of course the usage of a log
            wrapper to decouple development from deployment.

            Anyhow I don't know how to add a bundle jar signed and
            unchanged to Orbit. I am only aware of the re-bundling
            via EBR. Doing that will cause a change in the jar
            structure that causes for example logpresso to identify
            a CVE, although it is fixed. Which is actually only an
            issue in the detection. But that was one of the reasons
            why I contacted the reload4j project to change the base
            to avoid the re-bundling.

            Anyone who knows how to only sign and publish to Orbit
            without re-bundling?

            Ed Merks <ed.me...@gmail.com> schrieb am Di., 8. Feb.
            2022, 15:54:

                Dirk,

                Thanks.  That's really great!  It would be great
                for this release cycle if it were jar signed and
                available from Orbit so that we could ship it with
                2022-03...

                There are people who are concerned:

                
https://www.eclipse.org/forums/index.php/mv/msg/1109656/1849775/#msg_1849775

                Though I'm not sure if they would consider the
                problem being fixed in 1.2.19 a fact and even if
                its a fact if it would be a fact that matters...

                Regards,
                Ed

                On 08.02.2022 15:48, Dirk Fauth via
                cross-project-issues-dev wrote:
                Hi,

                I got in contact with the reload4j team. They
                changed the Bundle-SymbolicName to
                org.apache.log4j and fixed several OSGi meta data
                related issues in the meanwhile. Today they
                published 1.2.19 which should work as a drop-in
                replacement in Eclipse based applications where
                Require-Bundle was used. My local tests worked so far.

                That said, re-bundling for Orbit should not be
                necessary as reload4j could directly be consumed
                via Maven Central.

                Just wanted to keep you updated.

                Greez,
                Dirk

                Ed Willink <ed.will...@gmail.com> schrieb am Mi.,
                26. Jan. 2022, 13:47:

                    Hi

                    On 26/01/2022 07:48, Christoph Läubrich wrote:
                    > Why not using SLF4J in all places and let
                    the user choose the
                    > implementation with their favorite CVEs?

                    Use of SLF4J has been suggested before and so
                    I tried to be a good
                    Eclipse citizen. My failed attempts are
                    described in:

                    https://bugs.eclipse.org/bugs/show_bug.cgi?id=559532

                    If SLF4J is to be used, can someone please
                    ensure that the platform is
                    fit for purpose and that there is a good
                    tutorial on how to do really
                    boring logging.

                    Regards

                    Ed Willink


-- This email has been checked for viruses by
                    Avast antivirus software.
                    https://www.avast.com/antivirus

                    _______________________________________________
                    cross-project-issues-dev mailing list
                    cross-project-issues-dev@eclipse.org
                    To unsubscribe from this list, visit
                    
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev


                _______________________________________________
                cross-project-issues-dev mailing list
                cross-project-issues-dev@eclipse.org
                To unsubscribe from this list, 
visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
                _______________________________________________
                cross-project-issues-dev mailing list
                cross-project-issues-dev@eclipse.org
                To unsubscribe from this list, visit
                
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

            _______________________________________________
            cross-project-issues-dev mailing list
            cross-project-issues-dev@eclipse.org
            To unsubscribe from this list, visit
            https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev


        _______________________________________________
        cross-project-issues-dev mailing list
        cross-project-issues-dev@eclipse.org
        To unsubscribe from this list, 
visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

        Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan
        Eberle, Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef
        Schuermann
        Aufsichtsrat/Supervisory Board: Michael Neuhaus
        (Vors./chairman), Harald Goertz, Eric Swehla
        Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24,
        44536 Lünen (Germany)
        Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621

        _______________________________________________
        cross-project-issues-dev mailing list
        cross-project-issues-dev@eclipse.org
        To unsubscribe from this list, 
visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

        _______________________________________________
        cross-project-issues-dev mailing list
        cross-project-issues-dev@eclipse.org
        To unsubscribe from this list, 
visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

        Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan
        Eberle, Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef
        Schuermann
        Aufsichtsrat/Supervisory Board: Michael Neuhaus
        (Vors./chairman), Harald Goertz, Eric Swehla
        Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24,
        44536 Lünen (Germany)
        Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621
        _______________________________________________
        cross-project-issues-dev mailing list
        cross-project-issues-dev@eclipse.org
        To unsubscribe from this list, visit
        https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

    _______________________________________________
    cross-project-issues-dev mailing list
    cross-project-issues-dev@eclipse.org
    To unsubscribe from this list, visit
    https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev


_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, 
visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

--
Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle, Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman), Harald Goertz, Eric Swehla Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24, 44536 Lünen (Germany) Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

Reply via email to