Hi folks, Well done on all the hard work from everyone. 2022-03 SimRel repository (the one that will be https://download.eclipse.org/releases/2022-03/) is now free of the 1.2.15 version of log4j and those consumers that need log4j 1.x are using the reload4j version.
Some individual projects need to update to the newest Orbit version as their p2 repos still have 1.2.15. Jonah ~~~ Jonah Graham Kichwa Coders www.kichwacoders.com On Wed, 23 Feb 2022 at 21:13, Jonah Graham <jo...@kichwacoders.com> wrote: > Hi folks, > > I have now checked and the EPP packages that have org.apache.log4j now > have the 1.2.19 reload4j version. > > Some progress has already been made on the bugs, so with a bit more work > we can have the whole simrel free of the 1.2.15 version of log4j. > > However, individual projects need to update to the newest Orbit version > and rebuild. Numerous projects still have the 1.2.15 version in their p2 > repos. > > Thanks, > Jonah > > ~~~ > Jonah Graham > Kichwa Coders > www.kichwacoders.com > > > On Wed, 23 Feb 2022 at 12:22, Jonah Graham <jo...@kichwacoders.com> wrote: > >> Hi folks, >> >> The SimRel release will include the reload4j version of the bundle. Most >> p2 install resolutions will pull in the reload4j version. >> >> However it also includes the 1.2.15 version because of some hard >> dependencies on the 1.2.15 version (Bug 578940 >> <https://bugs.eclipse.org/bugs/show_bug.cgi?id=578940> Bug 578941 >> <https://bugs.eclipse.org/bugs/show_bug.cgi?id=578941>) >> >> When I do the EPP build I will verify/report whether any of the packages >> contain the 1.2.15 version. >> >> Jonah >> >> >> ~~~ >> Jonah Graham >> Kichwa Coders >> www.kichwacoders.com >> >> >> On Wed, 16 Feb 2022 at 03:04, Dirk Fauth via cross-project-issues-dev < >> cross-project-issues-dev@eclipse.org> wrote: >> >>> Just as an information for people that did not get the current status >>> via other channels. >>> >>> The re-bundled version of reload4j is available in the latest stable >>> build of Eclipse Orbit. >>> >>> Logpresso has added handling for the re-bundled variant and will not >>> detect the vulnerability in its latest version. >>> >>> Christian Dietrich <christian.dietr...@itemis.de> schrieb am Di., 8. >>> Feb. 2022, 17:18: >>> >>>> yes i tried to use the pomDependencies consider features >>>> https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190576 >>>> >>>> https://ci.eclipse.org/orbit/job/gerrit-orbit-recipes/1782/artifact/releng/repository-all/target/repository/ >>>> but i get signing warning and also naming conventions etc >>>> are completely "bogus" >>>> Am 08.02.22 um 17:16 schrieb Ed Merks: >>>> >>>> Christian, >>>> >>>> I *assume *it is not jar signed but rather only has an external PGP >>>> signature. >>>> >>>> Regards,... >>>> Ed >>>> On 08.02.2022 16:48, Christian Dietrich wrote: >>>> >>>> is the orginal signing not enhough? >>>> and what about about.html and other eclipse rule foo. >>>> Am 08.02.22 um 16:32 schrieb Matthias Sohn: >>>> >>>> I went ahead and pushed the naive addition of reload4j 1.2.19 disguised >>>> as bundle org.apache.log4j to Orbit >>>> https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190574 >>>> feel free to change this if someone finds out how to use EBR to only >>>> sign the upstream artefact. >>>> -Matthias >>>> >>>> On Tue, Feb 8, 2022 at 4:04 PM Dirk Fauth via cross-project-issues-dev < >>>> cross-project-issues-dev@eclipse.org> wrote: >>>> >>>>> Well, from my point of view the usage of reload4j is the only >>>>> backwards compatible solution. Unfortunately not for every case, e.g. too >>>>> strict version ranges. The solution forward is of course the usage of a >>>>> log >>>>> wrapper to decouple development from deployment. >>>>> >>>>> Anyhow I don't know how to add a bundle jar signed and unchanged to >>>>> Orbit. I am only aware of the re-bundling via EBR. Doing that will cause a >>>>> change in the jar structure that causes for example logpresso to identify >>>>> a >>>>> CVE, although it is fixed. Which is actually only an issue in the >>>>> detection. But that was one of the reasons why I contacted the reload4j >>>>> project to change the base to avoid the re-bundling. >>>>> >>>>> Anyone who knows how to only sign and publish to Orbit without >>>>> re-bundling? >>>>> >>>>> Ed Merks <ed.me...@gmail.com> schrieb am Di., 8. Feb. 2022, 15:54: >>>>> >>>>>> Dirk, >>>>>> >>>>>> Thanks. That's really great! It would be great for this release >>>>>> cycle if it were jar signed and available from Orbit so that we could >>>>>> ship >>>>>> it with 2022-03... >>>>>> >>>>>> There are people who are concerned: >>>>>> >>>>>> >>>>>> https://www.eclipse.org/forums/index.php/mv/msg/1109656/1849775/#msg_1849775 >>>>>> >>>>>> Though I'm not sure if they would consider the problem being fixed in >>>>>> 1.2.19 a fact and even if its a fact if it would be a fact that >>>>>> matters... >>>>>> >>>>>> Regards, >>>>>> Ed >>>>>> >>>>>> On 08.02.2022 15:48, Dirk Fauth via cross-project-issues-dev wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> I got in contact with the reload4j team. They changed the >>>>>> Bundle-SymbolicName to org.apache.log4j and fixed several OSGi meta data >>>>>> related issues in the meanwhile. Today they published 1.2.19 which should >>>>>> work as a drop-in replacement in Eclipse based applications where >>>>>> Require-Bundle was used. My local tests worked so far. >>>>>> >>>>>> That said, re-bundling for Orbit should not be necessary as reload4j >>>>>> could directly be consumed via Maven Central. >>>>>> >>>>>> Just wanted to keep you updated. >>>>>> >>>>>> Greez, >>>>>> Dirk >>>>>> >>>>>> Ed Willink <ed.will...@gmail.com> schrieb am Mi., 26. Jan. 2022, >>>>>> 13:47: >>>>>> >>>>>>> Hi >>>>>>> >>>>>>> On 26/01/2022 07:48, Christoph Läubrich wrote: >>>>>>> > Why not using SLF4J in all places and let the user choose the >>>>>>> > implementation with their favorite CVEs? >>>>>>> >>>>>>> Use of SLF4J has been suggested before and so I tried to be a good >>>>>>> Eclipse citizen. My failed attempts are described in: >>>>>>> >>>>>>> https://bugs.eclipse.org/bugs/show_bug.cgi?id=559532 >>>>>>> >>>>>>> If SLF4J is to be used, can someone please ensure that the platform >>>>>>> is >>>>>>> fit for purpose and that there is a good tutorial on how to do >>>>>>> really >>>>>>> boring logging. >>>>>>> >>>>>>> Regards >>>>>>> >>>>>>> Ed Willink >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> This email has been checked for viruses by Avast antivirus software. >>>>>>> https://www.avast.com/antivirus >>>>>>> >>>>>>> _______________________________________________ >>>>>>> cross-project-issues-dev mailing list >>>>>>> cross-project-issues-dev@eclipse.org >>>>>>> To unsubscribe from this list, visit >>>>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org >>>>>> To unsubscribe from this list, visit >>>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>>>> >>>>>> _______________________________________________ >>>>>> cross-project-issues-dev mailing list >>>>>> cross-project-issues-dev@eclipse.org >>>>>> To unsubscribe from this list, visit >>>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>>>> >>>>> _______________________________________________ >>>>> cross-project-issues-dev mailing list >>>>> cross-project-issues-dev@eclipse.org >>>>> To unsubscribe from this list, visit >>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>>> >>>> >>>> _______________________________________________ >>>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org >>>> To unsubscribe from this list, visit >>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>> >>>> >>>> Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle, >>>> Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann >>>> Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman), >>>> Harald Goertz, Eric Swehla >>>> Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24, 44536 >>>> Lünen (Germany) >>>> Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621 >>>> >>>> _______________________________________________ >>>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org >>>> To unsubscribe from this list, visit >>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>> >>>> >>>> _______________________________________________ >>>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org >>>> To unsubscribe from this list, visit >>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>> >>>> >>>> Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle, >>>> Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann >>>> Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman), >>>> Harald Goertz, Eric Swehla >>>> Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24, 44536 >>>> Lünen (Germany) >>>> Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621 >>>> _______________________________________________ >>>> cross-project-issues-dev mailing list >>>> cross-project-issues-dev@eclipse.org >>>> To unsubscribe from this list, visit >>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>> >>> _______________________________________________ >>> cross-project-issues-dev mailing list >>> cross-project-issues-dev@eclipse.org >>> To unsubscribe from this list, visit >>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>> >>
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
