Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse: update to 2.16.0?

> Orbit essentially is like Maven Central

In that case I don't understand why do we need Orbit at all. With the latest announcements regarding tycho capabilities from Christoph + lack of resources to support Orbit in safe form it seems to be useless.


1/13/2022 1:29 PM, Gunnar Wagenknecht пишет:

On Jan 13, 2022, at 10:55, Aleksandar Kurtakov <akurtako@xxxxxxxxxx> wrote:

IMHO, people should actively remove content from Orbit that has CVEs. Much like with any other project. Even without replacing it with a fixed version. We will be better with less but trusted content than questioning ourselves for each artifact.

Agreed. There is usually a clean-up/removal of unneeded stuff. But the downloads are still available for projects consuming the repositories. 

>[...] That is definitely something 
> new, since Orbit was a trusted source of 3rd party libraries for many 
> years.

That's a misconception. Orbit essentially is like Maven Central. Instead of Maven Artifacts it distributes Eclipse plug-in artifacts. Maven Central still distributes the vulnerable Log4j version and ton of other libraries with CVEs. Does that make it a less trustworthy source now? I don't think so. Consumers still need to stay on top of those.


Gunnar Wagenknecht

cross-project-issues-dev mailing list
To unsubscribe from this list, visit

Back to the top