lhotari commented on issue #8815: URL: https://github.com/apache/pulsar/issues/8815#issuecomment-1028354481
> With this high number of dependencies of all kinds and different ages the main question that is bothering me: > > => Is it enough (or a least the best thing we could do at this time) if only the dependencies with already well known/reported security issues are identified and updated? like addressed: #13972 (which is great of course!!) > > -> a) Or is there a big risk of sacrificing security, performance and bug-freeness we didn't see yet (see goal of this issue [#8815 (comment)](https://github.com/apache/pulsar/issues/8815#issue-756101012)) resulting from some of the other dependencies (with no yet reported security risks) for which there are also already updates available (sometimes for a long time)? > > -> b) How can we be sure that every dependency, introduced several years ago, is still in use / really needed in todays pulsar? Very good questions. @nicoloboschi and @dlg99 from DataStax have been contributing many changes to address vulnerable library versions. DataStax has bought a license for Sonatype IQ Server and scans also Apache Pulsar frequently. Another aspect in the Software Supply Chain security is the build reproducibility: are the built artifacts built from the source code that it claims to be built from. For Java projects, there's more information in https://reproducible-builds.org/docs/jvm/ and https://github.com/jvm-repo-rebuild/reproducible-central . It would be good to get Apache Pulsar as part of the Reproducible Builds program. Reproducible Builds have been discussed a few times. @hpvd Since the mailing list is the main channel for making major decisions in Apache projects, it would be useful to bring up your improvement suggestions to the Apache Pulsar community. [email protected] would be a good list to have this discussion. Mailing list details are at https://pulsar.apache.org/en/contact/ . -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
