yawkat commented on PR #21035: URL: https://github.com/apache/kafka/pull/21035#issuecomment-3615760530
@apokralipsa That's only prudent. You can see that the CVE was published by sonatype if you look at the CVE feed: https://www.cvedetails.com/vulnerability-list/assigner-366/Sonatype.html There is also a comment describing the move in the relocation pom: https://repo.maven.apache.org/maven2/org/lz4/lz4-java/1.8.1/lz4-java-1.8.1.pom If I was malicious and had access to publish org.lz4 to maven central, I wouldn't need to move the group id in the first place, I could just continue with the old namespace. Because I do not have permission to publish org.lz4, I had to secure support from sonatype and the lz4 project to do the move. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
