|Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse: update to 2.16.0?|
Agreed. There is usually a clean-up/removal of unneeded stuff. But the downloads are still available for projects consuming the repositories.
That's a misconception. Orbit essentially is like Maven Central. Instead of Maven Artifacts it distributes Eclipse plug-in artifacts. Maven Central still distributes the vulnerable Log4j version and ton of other libraries with CVEs. Does that make it a less trustworthy source now? I don't think so. Consumers still need to stay on top of those.
Back to the top