On Mon, 2021-12-13 at 16:40 +0100, Bertrand Delacretaz wrote: > If we make a statement I think it should include the list of modules > we have checked as "not embedding log4j2" and describe the method > used > for that check.
I have used `repo grep log4j` in the Sling repo checkout, manually validated that we don't pull in log4j2. If we exclude test code, we only get 54 lines, it should be quite easy for someone else to cross-check my findings. Thanks, Robert
