Hi Christian,

I will check if EPP packages contain log4j 1.2.15.

SimRel will contain 1.2.15 in 2022-03 unless the two bugs listed are
resolved in time.

Jonah

~~~
Jonah Graham
Kichwa Coders
www.kichwacoders.com


On Wed, 23 Feb 2022 at 12:27, Christian Dietrich <
christian.dietr...@itemis.de> wrote:

> @Jonah, will you distinguish between "contain" and "pull"
> Am 23.02.22 um 18:22 schrieb Jonah Graham:
>
> Hi folks,
>
> The SimRel release will include the reload4j version of the bundle. Most
> p2 install resolutions will pull in the reload4j version.
>
> However it also includes the 1.2.15 version because of some hard
> dependencies on the 1.2.15 version (Bug 578940
> <https://bugs.eclipse.org/bugs/show_bug.cgi?id=578940> Bug 578941
> <https://bugs.eclipse.org/bugs/show_bug.cgi?id=578941>)
>
> When I do the EPP build I will verify/report whether any of the packages
> contain the 1.2.15 version.
>
> Jonah
>
>
> ~~~
> Jonah Graham
> Kichwa Coders
> www.kichwacoders.com
>
>
> On Wed, 16 Feb 2022 at 03:04, Dirk Fauth via cross-project-issues-dev <
> cross-project-issues-dev@eclipse.org> wrote:
>
>> Just as an information for people that did not get the current status via
>> other channels.
>>
>> The re-bundled version of reload4j is available in the latest stable
>> build of Eclipse Orbit.
>>
>> Logpresso has added handling for the re-bundled variant and will not
>> detect the vulnerability in its latest version.
>>
>> Christian Dietrich <christian.dietr...@itemis.de> schrieb am Di., 8.
>> Feb. 2022, 17:18:
>>
>>> yes i tried to use the pomDependencies consider features
>>> https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190576
>>>
>>> https://ci.eclipse.org/orbit/job/gerrit-orbit-recipes/1782/artifact/releng/repository-all/target/repository/
>>> but i get signing warning and also naming conventions etc
>>> are completely "bogus"
>>> Am 08.02.22 um 17:16 schrieb Ed Merks:
>>>
>>> Christian,
>>>
>>> I *assume *it is not jar signed but rather only has an external PGP
>>> signature.
>>>
>>> Regards,...
>>> Ed
>>> On 08.02.2022 16:48, Christian Dietrich wrote:
>>>
>>> is the orginal signing not enhough?
>>> and what about about.html and other eclipse rule foo.
>>> Am 08.02.22 um 16:32 schrieb Matthias Sohn:
>>>
>>> I went ahead and pushed the naive addition of reload4j 1.2.19 disguised
>>> as bundle org.apache.log4j to Orbit
>>> https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190574
>>> feel free to change this if someone finds out how to use EBR to only
>>> sign the upstream artefact.
>>> -Matthias
>>>
>>> On Tue, Feb 8, 2022 at 4:04 PM Dirk Fauth via cross-project-issues-dev <
>>> cross-project-issues-dev@eclipse.org> wrote:
>>>
>>>> Well, from my point of view the usage of reload4j is the only backwards
>>>> compatible solution. Unfortunately not for every case, e.g. too strict
>>>> version ranges. The solution forward is of course the usage of a log
>>>> wrapper to decouple development from deployment.
>>>>
>>>> Anyhow I don't know how to add a bundle jar signed and unchanged to
>>>> Orbit. I am only aware of the re-bundling via EBR. Doing that will cause a
>>>> change in the jar structure that causes for example logpresso to identify a
>>>> CVE, although it is fixed. Which is actually only an issue in the
>>>> detection. But that was one of the reasons why I contacted the reload4j
>>>> project to change the base to avoid the re-bundling.
>>>>
>>>> Anyone who knows how to only sign and publish to Orbit without
>>>> re-bundling?
>>>>
>>>> Ed Merks <ed.me...@gmail.com> schrieb am Di., 8. Feb. 2022, 15:54:
>>>>
>>>>> Dirk,
>>>>>
>>>>> Thanks.  That's really great!  It would be great for this release
>>>>> cycle if it were jar signed and available from Orbit so that we could ship
>>>>> it with 2022-03...
>>>>>
>>>>> There are people who are concerned:
>>>>>
>>>>>
>>>>> https://www.eclipse.org/forums/index.php/mv/msg/1109656/1849775/#msg_1849775
>>>>>
>>>>> Though I'm not sure if they would consider the problem being fixed in
>>>>> 1.2.19 a fact and even if its a fact if it would be a fact that matters...
>>>>>
>>>>> Regards,
>>>>> Ed
>>>>>
>>>>> On 08.02.2022 15:48, Dirk Fauth via cross-project-issues-dev wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I got in contact with the reload4j team. They changed the
>>>>> Bundle-SymbolicName to org.apache.log4j and fixed several OSGi meta data
>>>>> related issues in the meanwhile. Today they published 1.2.19 which should
>>>>> work as a drop-in replacement in Eclipse based applications where
>>>>> Require-Bundle was used. My local tests worked so far.
>>>>>
>>>>> That said, re-bundling for Orbit should not be necessary as reload4j
>>>>> could directly be consumed via Maven Central.
>>>>>
>>>>> Just wanted to keep you updated.
>>>>>
>>>>> Greez,
>>>>> Dirk
>>>>>
>>>>> Ed Willink <ed.will...@gmail.com> schrieb am Mi., 26. Jan. 2022,
>>>>> 13:47:
>>>>>
>>>>>> Hi
>>>>>>
>>>>>> On 26/01/2022 07:48, Christoph Läubrich wrote:
>>>>>> > Why not using SLF4J in all places and let the user choose the
>>>>>> > implementation with their favorite CVEs?
>>>>>>
>>>>>> Use of SLF4J has been suggested before and so I tried to be a good
>>>>>> Eclipse citizen. My failed attempts are described in:
>>>>>>
>>>>>> https://bugs.eclipse.org/bugs/show_bug.cgi?id=559532
>>>>>>
>>>>>> If SLF4J is to be used, can someone please ensure that the platform
>>>>>> is
>>>>>> fit for purpose and that there is a good tutorial on how to do really
>>>>>> boring logging.
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Ed Willink
>>>>>>
>>>>>>
>>>>>> --
>>>>>> This email has been checked for viruses by Avast antivirus software.
>>>>>> https://www.avast.com/antivirus
>>>>>>
>>>>>> _______________________________________________
>>>>>> cross-project-issues-dev mailing list
>>>>>> cross-project-issues-dev@eclipse.org
>>>>>> To unsubscribe from this list, visit
>>>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org
>>>>> To unsubscribe from this list, visit 
>>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
>>>>>
>>>>> _______________________________________________
>>>>> cross-project-issues-dev mailing list
>>>>> cross-project-issues-dev@eclipse.org
>>>>> To unsubscribe from this list, visit
>>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
>>>>>
>>>> _______________________________________________
>>>> cross-project-issues-dev mailing list
>>>> cross-project-issues-dev@eclipse.org
>>>> To unsubscribe from this list, visit
>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
>>>>
>>>
>>> _______________________________________________
>>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org
>>> To unsubscribe from this list, visit 
>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
>>>
>>>
>>> Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle,
>>> Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann
>>> Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman), Harald
>>> Goertz, Eric Swehla
>>> Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24, 44536 Lünen
>>> (Germany)
>>> Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621
>>>
>>> _______________________________________________
>>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org
>>> To unsubscribe from this list, visit 
>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
>>>
>>>
>>> _______________________________________________
>>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org
>>> To unsubscribe from this list, visit 
>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
>>>
>>>
>>> Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle,
>>> Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann
>>> Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman), Harald
>>> Goertz, Eric Swehla
>>> Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24, 44536 Lünen
>>> (Germany)
>>> Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621
>>> _______________________________________________
>>> cross-project-issues-dev mailing list
>>> cross-project-issues-dev@eclipse.org
>>> To unsubscribe from this list, visit
>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
>>>
>> _______________________________________________
>> cross-project-issues-dev mailing list
>> cross-project-issues-dev@eclipse.org
>> To unsubscribe from this list, visit
>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
>>
>
> _______________________________________________
> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org
> To unsubscribe from this list, visit 
> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
>
>
> Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle,
> Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann
> Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman), Harald
> Goertz, Eric Swehla
> Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24, 44536 Lünen
> (Germany)
> Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-dev@eclipse.org
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
>
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

Reply via email to