|Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse: update to 2.16.0?|
On Jan 13, 2022, at 10:55, Aleksandar Kurtakov <akurtako@xxxxxxxxxx> wrote:
IMHO, people should actively remove content from Orbit that has CVEs. Much like with any other project. Even without replacing it with a fixed version. We will be better with less but trusted content than questioning ourselves for each artifact.
Agreed. There is usually a clean-up/removal of unneeded stuff. But the downloads are still available for projects consuming the repositories.
>[...] That is definitely something
> new, since Orbit was a trusted source of 3rd party libraries for many
That's a misconception. Orbit essentially is like Maven Central. Instead of Maven Artifacts it distributes Eclipse plug-in artifacts. Maven Central still distributes the vulnerable Log4j version and ton of other libraries with CVEs. Does that make it a less trustworthy source now? I don't think so. Consumers still need to stay on top of those.
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@xxxxxxxxxxx To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
Back to the top