Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclips

[Ed Merks <ed.merks@xxxxxxxxx>]

It's not entirely clear that a generous layer of critique and pessimism as icing on the neglect-and-apathy cake will help the broader team be more motivated to work toward a more viable solution.  Certainly I personally find it hugely challenging to deal with what feels like an endless stream of disruptive changes that percolate their way through my software stack.  My projects are like book ends on this train.  Add to that playing police and being the emergency response team, complemented by disruptive infrastructure changes to add to the confusion, and it feels like the goodness just never ends.  I could spend some time pointlessly pointing fingers at whom to blame for all these messy things.  But I always remind myself that when I point fingers at others, several of my own fingers are always pointing back at me.  So I try to focus on what can be done to make things better and what I can do to enable those.

Let's also look at some of the positives.  We are building a highly complex system, comprising a great many moving parts, with a lot of very busy people involved, to deliver some really amazing results, on time, four times a year.  Surely we're doing a few things right...

Cheers,
Ed

On 13.01.2022 14:51, Aleksandar Kurtakov wrote:

On Thu, Jan 13, 2022 at 3:47 PM Jonah Graham <jonah@xxxxxxxxxxxxxxxx> wrote:

On Thu., Jan. 13, 2022, 08:18 Aleksandar Kurtakov, <akurtako@xxxxxxxxxx> wrote:

On Thu, Jan 13, 2022 at 3:11 PM Jonah Graham <jonah@xxxxxxxxxxxxxxxx> wrote:

On Thu., Jan. 13, 2022, 05:49 Alexander Fedorov, <alexander.fedorov@xxxxxxxxxx> wrote:

> Orbit essentially is like Maven Central

In that case I don't understand why do we need Orbit at all. With the latest announcements regarding tycho capabilities from Christoph + lack of resources to support Orbit in safe form it seems to be useless.

You have hit the nail on the head! Although useless is going a little far. Orbit does not likely have a long term future. However as there are many projects that build from it still we need it. Also there is a problem if multiple projects start contributing the same version of third party lib that will hopefully be solved in the future with PGP signing. 

Orbit should not be directly contributing to simrel, but for a variety of reasons it does (see comments in the file) 

As mentioned in the Gerrit, passage's p2 repo should be publishing its third party deps and it should be possible for consumers to install passage from passage's p2 repo without requiring an orbit repo be added too. 

I know for sure that numerous projects are not quite doing that (again see comments in orbit.aggrcon) but hopefully at some point the temporary contribution of orbit to simrel directly can be removed. 

I would dare to say that as long as the workarounds are in simrel nothing will get fixed - it's time to face reality.

Probably correct, but I don't have the nerve to disable (or knowledge/time to fix) Mylyn. 

^^ Exactly - the amount of complains from people not paying attention and putting burden on others to workaround for them is what made me lost trust that simrel is viable approach.

 

 

HTH, 

Jonah 

Regards,
AF

1/13/2022 1:29 PM, Gunnar Wagenknecht пишет:

On Jan 13, 2022, at 10:55, Aleksandar Kurtakov <akurtako@xxxxxxxxxx> wrote:

IMHO, people should actively remove content from Orbit that has CVEs. Much like with any other project. Even without replacing it with a fixed version. We will be better with less but trusted content than questioning ourselves for each artifact.

Agreed. There is usually a clean-up/removal of unneeded stuff. But the downloads are still available for projects consuming the repositories. 

>[...] That is definitely something 
> new, since Orbit was a trusted source of 3rd party libraries for many 
> years.

That's a misconception. Orbit essentially is like Maven Central. Instead of Maven Artifacts it distributes Eclipse plug-in artifacts. Maven Central still distributes the vulnerable Log4j version and ton of other libraries with CVEs. Does that make it a less trustworthy source now? I don't think so. Consumers still need to stay on top of those.

-Gunnar

-- 
Gunnar Wagenknecht
gunnar@xxxxxxxxxxxxxxx, http://guw.io/

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

--

Aleksandar Kurtakov

Red Hat Eclipse Team

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

--

Aleksandar Kurtakov

Red Hat Eclipse Team

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev