Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclips

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?

From: Michael Keppler <Michael.Keppler@xxxxxx>
Date: Wed, 15 Dec 2021 07:52:03 +0100
Delivered-to: cross-project-issues-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/cross-project-issues-dev/>
List-help: <mailto:cross-project-issues-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.3.2

Am 13.12.2021 um 18:03 schrieb Christoph Läubrich:


yep that's what I have had in mind, I think it would be cool to have
one global feature "CVE Mitigation" or something and this
requires/includes individual CVE features that ship with appropriate
p2.inf items.
Thus way, once added to an IDE this will enable us to make CVE fixes
available tor a broad audience and make people more aware of them
through the update capabilities of eclipse itself.


Sounds great. However, I would vote for one feature per CVE, given 2
reasons:

Some companies are rather reluctant to change previously certified tool
chains, and might want to include fix A, but not fix B (because they can
explain why it does not affect them).

I would expect that there is a chance of such a feature not being
installable on some installations due to conflicting requirements. The
more CVEs (and requirements) included, the higher that chance. It would
be good if such conflict would not prohibit installing the other fixes.
I might be wrong about this item.

Follow-Ups:
- Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
  - From: Christoph Läubrich

References:
- [cross-project-issues-dev] log4j vulnerability in Eclipse?
  - From: Denis Roy
- Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
  - From: Matthew Khouzam
- Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
  - From: Denis Roy
- Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
  - From: Ed Merks
- Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
  - From: Denis Roy
- Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
  - From: Ed Merks
- Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
  - From: Alexander Fedorov
- Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
  - From: Gunnar Wagenknecht
- Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
  - From: Matthias Sohn
- Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
  - From: Gunnar Wagenknecht
- Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
  - From: Ed Merks
- Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
  - From: Alexander Fedorov
- Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
  - From: Ed Merks
- Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
  - From: Christoph Läubrich
- Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
  - From: Ed Merks
- Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
  - From: Christoph Läubrich

Prev by Date: Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
Next by Date: Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
Previous by thread: Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
Next by thread: Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?
Index(es):
- Date
- Thread

Breadcrumbs