Hi
Thanks. The explanation reassures me.
Regards
Ed Willink
On 24/02/2022 15:18, Jonah Graham wrote:
On Thu, 24 Feb 2022 at 03:55, Ed Willink <ed.will...@gmail.com> wrote:
Hi
Ouch!. It seems like these are manually maintained and so subject
to human fallibility.
Not "Ouch!" but by design. Please see my reply to Martin's original
question.
If "latest" is to be useful, it must be automatic.
The latest is automated - covered as part of the releng steps[1] that
I reference in my Orbit announcements[2]
[1]
https://wiki.eclipse.org/Orbit/Promotion,_Release,_and_Retention_Policies#Milestone_Release_Process
[2] https://www.eclipse.org/lists/orbit-dev/msg05550.html
It makes sense to reference multiple repos, as in my cut and paste
from my S-build that referenced both latest-S and latest-R Orbit,
since latest-S is usually the most recent except just after a
release when latest-R may be later (unless a gratuitous S-build
immediately followed the R-build).
However multiple explicit references seems crazy especially when
they are so stale.
Please see my email about removal of CVS built bundles from the p2. If
you still refer to these old Orbit bundles you will need to keep a
reference to an older Orbit repo in your target platform, or update
your dependencies.
HTH,
Jonah
Regards
Ed Willink
On 24/02/2022 08:27, Martin Lippert wrote:
Hey!
Quick question:
why do those update sites refer to the latest S or R builds AS
WELL AS a specific release repo from 2020 ?
The content of the latest-S looks like:
<child location="../drops/R20201118194144/repository"/>
<child location="../drops2/S20220215213605/repository“/>
Any idea why the R20201118194144 repo is included here?
Cheers
Martin
Am 24.02.2022 um 06:47 schrieb Ed Willink <ed.will...@gmail.com>:
Hi
For those needing to update: Orbit now has:
<repository
location="https://download.eclipse.org/tools/orbit/downloads/latest-S";
<https://download.eclipse.org/tools/orbit/downloads/latest-S>/>
<repository
location="https://download.eclipse.org/tools/orbit/downloads/latest-R";
<https://download.eclipse.org/tools/orbit/downloads/latest-R>/>
so there is no need to update ever again. Just rebuild.
Regards
Ed Willink
On 24/02/2022 02:13, Jonah Graham wrote:
Hi folks,
I have now checked and the EPP packages that have
org.apache.log4j now have the 1.2.19 reload4j version.
Some progress has already been made on the bugs, so with a bit
more work we can have the whole simrel free of the 1.2.15
version of log4j.
However, individual projects need to update to the newest Orbit
version and rebuild. Numerous projects still have the 1.2.15
version in their p2 repos.
Thanks,
Jonah
~~~
Jonah Graham
Kichwa Coders
www.kichwacoders.com <http://www.kichwacoders.com/>
On Wed, 23 Feb 2022 at 12:22, Jonah Graham
<jo...@kichwacoders.com> wrote:
Hi folks,
The SimRel release will include the reload4j version of the
bundle. Most p2 install resolutions will pull in the
reload4j version.
However it also includes the 1.2.15 version because of some
hard dependencies on the 1.2.15 version (Bug 578940
<https://bugs.eclipse.org/bugs/show_bug.cgi?id=578940> Bug
578941 <https://bugs.eclipse.org/bugs/show_bug.cgi?id=578941>)
When I do the EPP build I will verify/report whether any of
the packages contain the 1.2.15 version.
Jonah
~~~
Jonah Graham
Kichwa Coders
www.kichwacoders.com <http://www.kichwacoders.com/>
On Wed, 16 Feb 2022 at 03:04, Dirk Fauth via
cross-project-issues-dev
<cross-project-issues-dev@eclipse.org> wrote:
Just as an information for people that did not get the
current status via other channels.
The re-bundled version of reload4j is available in the
latest stable build of Eclipse Orbit.
Logpresso has added handling for the re-bundled variant
and will not detect the vulnerability in its latest
version.
Christian Dietrich <christian.dietr...@itemis.de>
schrieb am Di., 8. Feb. 2022, 17:18:
yes i tried to use the pomDependencies consider
features
https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190576
https://ci.eclipse.org/orbit/job/gerrit-orbit-recipes/1782/artifact/releng/repository-all/target/repository/
but i get signing warning and also naming
conventions etc
are completely "bogus"
Am 08.02.22 um 17:16 schrieb Ed Merks:
Christian,
I *assume *it is not jar signed but rather only
has an external PGP signature.
Regards,...
Ed
On 08.02.2022 16:48, Christian Dietrich wrote:
is the orginal signing not enhough?
and what about about.html and other eclipse rule foo.
Am 08.02.22 um 16:32 schrieb Matthias Sohn:
I went ahead and pushed the naive addition of
reload4j 1.2.19 disguised as bundle
org.apache.log4j to Orbit
https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190574
feel free to change this if someone finds out
how to use EBR to only sign the upstream artefact.
-Matthias
On Tue, Feb 8, 2022 at 4:04 PM Dirk Fauth via
cross-project-issues-dev
<cross-project-issues-dev@eclipse.org> wrote:
Well, from my point of view the usage of
reload4j is the only backwards compatible
solution. Unfortunately not for every case,
e.g. too strict version ranges. The solution
forward is of course the usage of a log
wrapper to decouple development from
deployment.
Anyhow I don't know how to add a bundle jar
signed and unchanged to Orbit. I am only
aware of the re-bundling via EBR. Doing that
will cause a change in the jar structure
that causes for example logpresso to
identify a CVE, although it is fixed. Which
is actually only an issue in the detection.
But that was one of the reasons why I
contacted the reload4j project to change the
base to avoid the re-bundling.
Anyone who knows how to only sign and
publish to Orbit without re-bundling?
Ed Merks <ed.me...@gmail.com> schrieb am
Di., 8. Feb. 2022, 15:54:
Dirk,
Thanks. That's really great! It would
be great for this release cycle if it
were jar signed and available from Orbit
so that we could ship it with 2022-03...
There are people who are concerned:
https://www.eclipse.org/forums/index.php/mv/msg/1109656/1849775/#msg_1849775
Though I'm not sure if they would
consider the problem being fixed in
1.2.19 a fact and even if its a fact if
it would be a fact that matters...
Regards,
Ed
On 08.02.2022 15:48, Dirk Fauth via
cross-project-issues-dev wrote:
Hi,
I got in contact with the reload4j
team. They changed the
Bundle-SymbolicName to org.apache.log4j
and fixed several OSGi meta data
related issues in the meanwhile. Today
they published 1.2.19 which should work
as a drop-in replacement in Eclipse
based applications where Require-Bundle
was used. My local tests worked so far.
That said, re-bundling for Orbit should
not be necessary as reload4j could
directly be consumed via Maven Central.
Just wanted to keep you updated.
Greez,
Dirk
Ed Willink <ed.will...@gmail.com>
schrieb am Mi., 26. Jan. 2022, 13:47:
Hi
On 26/01/2022 07:48, Christoph
Läubrich wrote:
> Why not using SLF4J in all places
and let the user choose the
> implementation with their
favorite CVEs?
Use of SLF4J has been suggested
before and so I tried to be a good
Eclipse citizen. My failed attempts
are described in:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=559532
If SLF4J is to be used, can someone
please ensure that the platform is
fit for purpose and that there is a
good tutorial on how to do really
boring logging.
Regards
Ed Willink
--
This email has been checked for
viruses by Avast antivirus software.
https://www.avast.com/antivirus
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list,
visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list,
visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list,
visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
Vorstand/Board: Jens Wagener (Vors./chairman),
Dr. Stephan Eberle, Abdelghani El-Kacimi,
Wolfgang Neuhaus, Franz-Josef Schuermann
Aufsichtsrat/Supervisory Board: Michael Neuhaus
(Vors./chairman), Harald Goertz, Eric Swehla
Sitz der Gesellschaft/Registered Office: Am
Brambusch 15-24, 44536 Lünen (Germany)
Registergericht/Registry Court: Amtsgericht
Dortmund | HRB 20621
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list,
visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list,
visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
Vorstand/Board: Jens Wagener (Vors./chairman), Dr.
Stephan Eberle, Abdelghani El-Kacimi, Wolfgang
Neuhaus, Franz-Josef Schuermann
Aufsichtsrat/Supervisory Board: Michael Neuhaus
(Vors./chairman), Harald Goertz, Eric Swehla
Sitz der Gesellschaft/Registered Office: Am
Brambusch 15-24, 44536 Lünen (Germany)
Registergericht/Registry Court: Amtsgericht
Dortmund | HRB 20621
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list,
visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
Virus-free. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list,
visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
