You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@netbeans.apache.org by "matthiasblaesing (via GitHub)" <gi...@apache.org> on 2023/03/25 12:13:21 UTC

[GitHub] [netbeans] matthiasblaesing opened a new pull request, #5716: html.validator: Remove dependency on log4j

matthiasblaesing opened a new pull request, #5716:
URL: https://github.com/apache/netbeans/pull/5716

   This commit modifies the patched version of the html.validator not to rely on log4j anymore.
   
   There is no security gain estimated. This commit exists only to silence "security" teams, that have some strange interpretation of security. They assume, that you can deduce from the presence of a dependency/ library, whether or not there is a security problem. There is no evidence, that any of the CVEs against log4j 1 apply here.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] mbien commented on pull request #5716: html.validator: Remove dependency on log4j

Posted by "mbien (via GitHub)" <gi...@apache.org>.

mbien commented on PR #5716:
URL: https://github.com/apache/netbeans/pull/5716#issuecomment-1483829659

   patch looks good. An alternative approach for something like this could be to use SLF4J bridges, since the project has a bridge for almost everything. In this particular case:
   
   `log4j-over-slf4j` + `slf4j-jdk14`
   
   this would map log4j 1 to slf4j and use the weirdly named `slf4j-jdk14` impl as "logging impl", which is actually a bridge to `java.util.logging`.
   
   https://www.slf4j.org/legacy.html#log4j-over-slf4j +
   https://www.slf4j.org/manual.html#projectDep (scrolll down to `slf4j-jdk14`) 
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] matthiasblaesing commented on pull request #5716: html.validator: Remove dependency on log4j

Posted by "matthiasblaesing (via GitHub)" <gi...@apache.org>.

matthiasblaesing commented on PR #5716:
URL: https://github.com/apache/netbeans/pull/5716#issuecomment-1483814743

   This PR is currently for only for review. Before merge the binary will be moved to the OSUOL server.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] matthiasblaesing commented on pull request #5716: html.validator: Remove dependency on log4j

Posted by "matthiasblaesing (via GitHub)" <gi...@apache.org>.

matthiasblaesing commented on PR #5716:
URL: https://github.com/apache/netbeans/pull/5716#issuecomment-1483834336

   @mbien ah - nice idea. Would be good to consider if we can get the patching down or updated.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] matthiasblaesing merged pull request #5716: html.validator: Remove dependency on log4j

Posted by "matthiasblaesing (via GitHub)" <gi...@apache.org>.

matthiasblaesing merged PR #5716:
URL: https://github.com/apache/netbeans/pull/5716


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] matthiasblaesing commented on pull request #5716: html.validator: Remove dependency on log4j

Posted by "matthiasblaesing (via GitHub)" <gi...@apache.org>.

matthiasblaesing commented on PR #5716:
URL: https://github.com/apache/netbeans/pull/5716#issuecomment-1492970794

   Pushed new binary to the OSUOSL server and updated the reference. Will merge tomorrow once tests are green.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists