Hi Christian, I will check if EPP packages contain log4j 1.2.15.
SimRel will contain 1.2.15 in 2022-03 unless the two bugs listed are resolved in time. Jonah ~~~ Jonah Graham Kichwa Coders www.kichwacoders.com On Wed, 23 Feb 2022 at 12:27, Christian Dietrich < christian.dietr...@itemis.de> wrote: > @Jonah, will you distinguish between "contain" and "pull" > Am 23.02.22 um 18:22 schrieb Jonah Graham: > > Hi folks, > > The SimRel release will include the reload4j version of the bundle. Most > p2 install resolutions will pull in the reload4j version. > > However it also includes the 1.2.15 version because of some hard > dependencies on the 1.2.15 version (Bug 578940 > <https://bugs.eclipse.org/bugs/show_bug.cgi?id=578940> Bug 578941 > <https://bugs.eclipse.org/bugs/show_bug.cgi?id=578941>) > > When I do the EPP build I will verify/report whether any of the packages > contain the 1.2.15 version. > > Jonah > > > ~~~ > Jonah Graham > Kichwa Coders > www.kichwacoders.com > > > On Wed, 16 Feb 2022 at 03:04, Dirk Fauth via cross-project-issues-dev < > cross-project-issues-dev@eclipse.org> wrote: > >> Just as an information for people that did not get the current status via >> other channels. >> >> The re-bundled version of reload4j is available in the latest stable >> build of Eclipse Orbit. >> >> Logpresso has added handling for the re-bundled variant and will not >> detect the vulnerability in its latest version. >> >> Christian Dietrich <christian.dietr...@itemis.de> schrieb am Di., 8. >> Feb. 2022, 17:18: >> >>> yes i tried to use the pomDependencies consider features >>> https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190576 >>> >>> https://ci.eclipse.org/orbit/job/gerrit-orbit-recipes/1782/artifact/releng/repository-all/target/repository/ >>> but i get signing warning and also naming conventions etc >>> are completely "bogus" >>> Am 08.02.22 um 17:16 schrieb Ed Merks: >>> >>> Christian, >>> >>> I *assume *it is not jar signed but rather only has an external PGP >>> signature. >>> >>> Regards,... >>> Ed >>> On 08.02.2022 16:48, Christian Dietrich wrote: >>> >>> is the orginal signing not enhough? >>> and what about about.html and other eclipse rule foo. >>> Am 08.02.22 um 16:32 schrieb Matthias Sohn: >>> >>> I went ahead and pushed the naive addition of reload4j 1.2.19 disguised >>> as bundle org.apache.log4j to Orbit >>> https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190574 >>> feel free to change this if someone finds out how to use EBR to only >>> sign the upstream artefact. >>> -Matthias >>> >>> On Tue, Feb 8, 2022 at 4:04 PM Dirk Fauth via cross-project-issues-dev < >>> cross-project-issues-dev@eclipse.org> wrote: >>> >>>> Well, from my point of view the usage of reload4j is the only backwards >>>> compatible solution. Unfortunately not for every case, e.g. too strict >>>> version ranges. The solution forward is of course the usage of a log >>>> wrapper to decouple development from deployment. >>>> >>>> Anyhow I don't know how to add a bundle jar signed and unchanged to >>>> Orbit. I am only aware of the re-bundling via EBR. Doing that will cause a >>>> change in the jar structure that causes for example logpresso to identify a >>>> CVE, although it is fixed. Which is actually only an issue in the >>>> detection. But that was one of the reasons why I contacted the reload4j >>>> project to change the base to avoid the re-bundling. >>>> >>>> Anyone who knows how to only sign and publish to Orbit without >>>> re-bundling? >>>> >>>> Ed Merks <ed.me...@gmail.com> schrieb am Di., 8. Feb. 2022, 15:54: >>>> >>>>> Dirk, >>>>> >>>>> Thanks. That's really great! It would be great for this release >>>>> cycle if it were jar signed and available from Orbit so that we could ship >>>>> it with 2022-03... >>>>> >>>>> There are people who are concerned: >>>>> >>>>> >>>>> https://www.eclipse.org/forums/index.php/mv/msg/1109656/1849775/#msg_1849775 >>>>> >>>>> Though I'm not sure if they would consider the problem being fixed in >>>>> 1.2.19 a fact and even if its a fact if it would be a fact that matters... >>>>> >>>>> Regards, >>>>> Ed >>>>> >>>>> On 08.02.2022 15:48, Dirk Fauth via cross-project-issues-dev wrote: >>>>> >>>>> Hi, >>>>> >>>>> I got in contact with the reload4j team. They changed the >>>>> Bundle-SymbolicName to org.apache.log4j and fixed several OSGi meta data >>>>> related issues in the meanwhile. Today they published 1.2.19 which should >>>>> work as a drop-in replacement in Eclipse based applications where >>>>> Require-Bundle was used. My local tests worked so far. >>>>> >>>>> That said, re-bundling for Orbit should not be necessary as reload4j >>>>> could directly be consumed via Maven Central. >>>>> >>>>> Just wanted to keep you updated. >>>>> >>>>> Greez, >>>>> Dirk >>>>> >>>>> Ed Willink <ed.will...@gmail.com> schrieb am Mi., 26. Jan. 2022, >>>>> 13:47: >>>>> >>>>>> Hi >>>>>> >>>>>> On 26/01/2022 07:48, Christoph Läubrich wrote: >>>>>> > Why not using SLF4J in all places and let the user choose the >>>>>> > implementation with their favorite CVEs? >>>>>> >>>>>> Use of SLF4J has been suggested before and so I tried to be a good >>>>>> Eclipse citizen. My failed attempts are described in: >>>>>> >>>>>> https://bugs.eclipse.org/bugs/show_bug.cgi?id=559532 >>>>>> >>>>>> If SLF4J is to be used, can someone please ensure that the platform >>>>>> is >>>>>> fit for purpose and that there is a good tutorial on how to do really >>>>>> boring logging. >>>>>> >>>>>> Regards >>>>>> >>>>>> Ed Willink >>>>>> >>>>>> >>>>>> -- >>>>>> This email has been checked for viruses by Avast antivirus software. >>>>>> https://www.avast.com/antivirus >>>>>> >>>>>> _______________________________________________ >>>>>> cross-project-issues-dev mailing list >>>>>> cross-project-issues-dev@eclipse.org >>>>>> To unsubscribe from this list, visit >>>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>>>> >>>>> >>>>> _______________________________________________ >>>>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org >>>>> To unsubscribe from this list, visit >>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>>> >>>>> _______________________________________________ >>>>> cross-project-issues-dev mailing list >>>>> cross-project-issues-dev@eclipse.org >>>>> To unsubscribe from this list, visit >>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>>> >>>> _______________________________________________ >>>> cross-project-issues-dev mailing list >>>> cross-project-issues-dev@eclipse.org >>>> To unsubscribe from this list, visit >>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>> >>> >>> _______________________________________________ >>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org >>> To unsubscribe from this list, visit >>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>> >>> >>> Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle, >>> Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann >>> Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman), Harald >>> Goertz, Eric Swehla >>> Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24, 44536 Lünen >>> (Germany) >>> Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621 >>> >>> _______________________________________________ >>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org >>> To unsubscribe from this list, visit >>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>> >>> >>> _______________________________________________ >>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org >>> To unsubscribe from this list, visit >>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>> >>> >>> Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle, >>> Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann >>> Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman), Harald >>> Goertz, Eric Swehla >>> Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24, 44536 Lünen >>> (Germany) >>> Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621 >>> _______________________________________________ >>> cross-project-issues-dev mailing list >>> cross-project-issues-dev@eclipse.org >>> To unsubscribe from this list, visit >>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>> >> _______________________________________________ >> cross-project-issues-dev mailing list >> cross-project-issues-dev@eclipse.org >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >> > > _______________________________________________ > cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev > > > Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle, > Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann > Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman), Harald > Goertz, Eric Swehla > Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24, 44536 Lünen > (Germany) > Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621 > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev