Hey! Quick question: why do those update sites refer to the latest S or R builds AS WELL AS a specific release repo from 2020 ?
The content of the latest-S looks like: <child location="../drops/R20201118194144/repository"/> <child location="../drops2/S20220215213605/repository“/> Any idea why the R20201118194144 repo is included here? Cheers Martin > Am 24.02.2022 um 06:47 schrieb Ed Willink <ed.will...@gmail.com>: > > Hi > > For those needing to update: Orbit now has: > > <repository > location="https://download.eclipse.org/tools/orbit/downloads/latest-S"; > <https://download.eclipse.org/tools/orbit/downloads/latest-S>/> > <repository > location="https://download.eclipse.org/tools/orbit/downloads/latest-R"; > <https://download.eclipse.org/tools/orbit/downloads/latest-R>/> > > so there is no need to update ever again. Just rebuild. > > Regards > > Ed Willink > > On 24/02/2022 02:13, Jonah Graham wrote: >> Hi folks, >> >> I have now checked and the EPP packages that have org.apache.log4j now have >> the 1.2.19 reload4j version. >> >> Some progress has already been made on the bugs, so with a bit more work we >> can have the whole simrel free of the 1.2.15 version of log4j. >> >> However, individual projects need to update to the newest Orbit version and >> rebuild. Numerous projects still have the 1.2.15 version in their p2 repos. >> >> Thanks, >> Jonah >> >> ~~~ >> Jonah Graham >> Kichwa Coders >> www.kichwacoders.com <http://www.kichwacoders.com/> >> >> >> On Wed, 23 Feb 2022 at 12:22, Jonah Graham <jo...@kichwacoders.com >> <mailto:jo...@kichwacoders.com>> wrote: >> Hi folks, >> >> The SimRel release will include the reload4j version of the bundle. Most p2 >> install resolutions will pull in the reload4j version. >> >> However it also includes the 1.2.15 version because of some hard >> dependencies on the 1.2.15 version (Bug 578940 >> <https://bugs.eclipse.org/bugs/show_bug.cgi?id=578940> Bug 578941 >> <https://bugs.eclipse.org/bugs/show_bug.cgi?id=578941>) >> >> When I do the EPP build I will verify/report whether any of the packages >> contain the 1.2.15 version. >> >> Jonah >> >> >> ~~~ >> Jonah Graham >> Kichwa Coders >> www.kichwacoders.com <http://www.kichwacoders.com/> >> >> >> On Wed, 16 Feb 2022 at 03:04, Dirk Fauth via cross-project-issues-dev >> <cross-project-issues-dev@eclipse.org >> <mailto:cross-project-issues-dev@eclipse.org>> wrote: >> Just as an information for people that did not get the current status via >> other channels. >> >> The re-bundled version of reload4j is available in the latest stable build >> of Eclipse Orbit. >> >> Logpresso has added handling for the re-bundled variant and will not detect >> the vulnerability in its latest version. >> >> Christian Dietrich <christian.dietr...@itemis.de >> <mailto:christian.dietr...@itemis.de>> schrieb am Di., 8. Feb. 2022, 17:18: >> yes i tried to use the pomDependencies consider features >> https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190576 >> <https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190576> >> https://ci.eclipse.org/orbit/job/gerrit-orbit-recipes/1782/artifact/releng/repository-all/target/repository/ >> >> <https://ci.eclipse.org/orbit/job/gerrit-orbit-recipes/1782/artifact/releng/repository-all/target/repository/> >> but i get signing warning and also naming conventions etc >> are completely "bogus" >> >> Am 08.02.22 um 17:16 schrieb Ed Merks: >>> Christian, >>> >>> I assume it is not jar signed but rather only has an external PGP signature. >>> >>> Regards,... >>> Ed >>> >>> On 08.02.2022 16:48, Christian Dietrich wrote: >>>> is the orginal signing not enhough? >>>> and what about about.html and other eclipse rule foo. >>>> >>>> Am 08.02.22 um 16:32 schrieb Matthias Sohn: >>>>> I went ahead and pushed the naive addition of reload4j 1.2.19 disguised >>>>> as bundle org.apache.log4j to Orbit >>>>> https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190574 >>>>> <https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190574> >>>>> feel free to change this if someone finds out how to use EBR to only sign >>>>> the upstream artefact. >>>>> >>>>> -Matthias >>>>> >>>>> On Tue, Feb 8, 2022 at 4:04 PM Dirk Fauth via cross-project-issues-dev >>>>> <cross-project-issues-dev@eclipse.org >>>>> <mailto:cross-project-issues-dev@eclipse.org>> wrote: >>>>> Well, from my point of view the usage of reload4j is the only backwards >>>>> compatible solution. Unfortunately not for every case, e.g. too strict >>>>> version ranges. The solution forward is of course the usage of a log >>>>> wrapper to decouple development from deployment. >>>>> >>>>> Anyhow I don't know how to add a bundle jar signed and unchanged to >>>>> Orbit. I am only aware of the re-bundling via EBR. Doing that will cause >>>>> a change in the jar structure that causes for example logpresso to >>>>> identify a CVE, although it is fixed. Which is actually only an issue in >>>>> the detection. But that was one of the reasons why I contacted the >>>>> reload4j project to change the base to avoid the re-bundling. >>>>> >>>>> Anyone who knows how to only sign and publish to Orbit without >>>>> re-bundling? >>>>> >>>>> Ed Merks <ed.me...@gmail.com <mailto:ed.me...@gmail.com>> schrieb am Di., >>>>> 8. Feb. 2022, 15:54: >>>>> Dirk, >>>>> >>>>> Thanks. That's really great! It would be great for this release cycle >>>>> if it were jar signed and available from Orbit so that we could ship it >>>>> with 2022-03... >>>>> >>>>> There are people who are concerned: >>>>> >>>>> >>>>> https://www.eclipse.org/forums/index.php/mv/msg/1109656/1849775/#msg_1849775 >>>>> >>>>> <https://www.eclipse.org/forums/index.php/mv/msg/1109656/1849775/#msg_1849775> >>>>> Though I'm not sure if they would consider the problem being fixed in >>>>> 1.2.19 a fact and even if its a fact if it would be a fact that matters... >>>>> >>>>> Regards, >>>>> Ed >>>>> >>>>> >>>>> On 08.02.2022 15:48, Dirk Fauth via cross-project-issues-dev wrote: >>>>>> Hi, >>>>>> >>>>>> I got in contact with the reload4j team. They changed the >>>>>> Bundle-SymbolicName to org.apache.log4j and fixed several OSGi meta data >>>>>> related issues in the meanwhile. Today they published 1.2.19 which >>>>>> should work as a drop-in replacement in Eclipse based applications where >>>>>> Require-Bundle was used. My local tests worked so far. >>>>>> >>>>>> That said, re-bundling for Orbit should not be necessary as reload4j >>>>>> could directly be consumed via Maven Central. >>>>>> >>>>>> Just wanted to keep you updated. >>>>>> >>>>>> Greez, >>>>>> Dirk >>>>>> >>>>>> Ed Willink <ed.will...@gmail.com <mailto:ed.will...@gmail.com>> schrieb >>>>>> am Mi., 26. Jan. 2022, 13:47: >>>>>> Hi >>>>>> >>>>>> On 26/01/2022 07:48, Christoph Läubrich wrote: >>>>>> > Why not using SLF4J in all places and let the user choose the >>>>>> > implementation with their favorite CVEs? >>>>>> >>>>>> Use of SLF4J has been suggested before and so I tried to be a good >>>>>> Eclipse citizen. My failed attempts are described in: >>>>>> >>>>>> https://bugs.eclipse.org/bugs/show_bug.cgi?id=559532 >>>>>> <https://bugs.eclipse.org/bugs/show_bug.cgi?id=559532> >>>>>> >>>>>> If SLF4J is to be used, can someone please ensure that the platform is >>>>>> fit for purpose and that there is a good tutorial on how to do really >>>>>> boring logging. >>>>>> >>>>>> Regards >>>>>> >>>>>> Ed Willink >>>>>> >>>>>> >>>>>> -- >>>>>> This email has been checked for viruses by Avast antivirus software. >>>>>> https://www.avast.com/antivirus <https://www.avast.com/antivirus> >>>>>> >>>>>> _______________________________________________ >>>>>> cross-project-issues-dev mailing list >>>>>> cross-project-issues-dev@eclipse.org >>>>>> <mailto:cross-project-issues-dev@eclipse.org> >>>>>> To unsubscribe from this list, visit >>>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>>>> <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> cross-project-issues-dev mailing list >>>>>> cross-project-issues-dev@eclipse.org >>>>>> <mailto:cross-project-issues-dev@eclipse.org> >>>>>> To unsubscribe from this list, visit >>>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>>>> <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev> >>>>> _______________________________________________ >>>>> cross-project-issues-dev mailing list >>>>> cross-project-issues-dev@eclipse.org >>>>> <mailto:cross-project-issues-dev@eclipse.org> >>>>> To unsubscribe from this list, visit >>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>>> <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev> >>>>> _______________________________________________ >>>>> cross-project-issues-dev mailing list >>>>> cross-project-issues-dev@eclipse.org >>>>> <mailto:cross-project-issues-dev@eclipse.org> >>>>> To unsubscribe from this list, visit >>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>>> <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev> >>>>> >>>>> >>>>> _______________________________________________ >>>>> cross-project-issues-dev mailing list >>>>> cross-project-issues-dev@eclipse.org >>>>> <mailto:cross-project-issues-dev@eclipse.org> >>>>> To unsubscribe from this list, visit >>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>>> <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev> >>>> >>>> Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle, >>>> Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann >>>> Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman), Harald >>>> Goertz, Eric Swehla >>>> Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24, 44536 Lünen >>>> (Germany) >>>> Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621 >>>> >>>> >>>> _______________________________________________ >>>> cross-project-issues-dev mailing list >>>> cross-project-issues-dev@eclipse.org >>>> <mailto:cross-project-issues-dev@eclipse.org> >>>> To unsubscribe from this list, visit >>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>> <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev> >>> >>> >>> _______________________________________________ >>> cross-project-issues-dev mailing list >>> cross-project-issues-dev@eclipse.org >>> <mailto:cross-project-issues-dev@eclipse.org> >>> To unsubscribe from this list, visit >>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>> <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev> >> >> Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle, >> Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann >> Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman), Harald >> Goertz, Eric Swehla >> Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24, 44536 Lünen >> (Germany) >> Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621 >> _______________________________________________ >> cross-project-issues-dev mailing list >> cross-project-issues-dev@eclipse.org >> <mailto:cross-project-issues-dev@eclipse.org> >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >> <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev> >> _______________________________________________ >> cross-project-issues-dev mailing list >> cross-project-issues-dev@eclipse.org >> <mailto:cross-project-issues-dev@eclipse.org> >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >> <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev> >> >> >> _______________________________________________ >> cross-project-issues-dev mailing list >> cross-project-issues-dev@eclipse.org >> <mailto:cross-project-issues-dev@eclipse.org> >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >> <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev> > > > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> > Virus-free. www.avast.com > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> > > <x-msg://18/#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>_______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
