[RFC] squelch log4j inquiries

All of lore.kernel.org
 help / color / mirror / Atom feed

* [RFC] squelch log4j inquiries
@ 2021-12-23 23:52 Junio C Hamano
  2021-12-24  0:14 ` rsbecker
  2021-12-24 10:59 ` Philip Oakley
  0 siblings, 2 replies; 4+ messages in thread
From: Junio C Hamano @ 2021-12-23 23:52 UTC (permalink / raw)
  To: git

I wonder if we should do something like this, for limited time like
a few months or so, so that we have something prominently shown at
places like https://github.com/git/git/

Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git c/README.md w/README.md
index f6f43e78de..76e99fe5bb 100644
--- c/README.md
+++ w/README.md
@@ -7,6 +7,9 @@ Git is a fast, scalable, distributed revision control system with an
 unusually rich command set that provides both high-level operations
 and full access to internals.
 
+No part of Git is written in Java, hence it is not susceptible to
+the log4j vulnerability that has been causing sensation recently.
+
 Git is an Open Source project covered by the GNU General Public
 License version 2 (some parts of it are under different licenses,
 compatible with the GPLv2). It was originally written by Linus

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* RE: [RFC] squelch log4j inquiries
  2021-12-23 23:52 [RFC] squelch log4j inquiries Junio C Hamano
@ 2021-12-24  0:14 ` rsbecker
  2021-12-25  0:38   ` Junio C Hamano
  2021-12-24 10:59 ` Philip Oakley
  1 sibling, 1 reply; 4+ messages in thread
From: rsbecker @ 2021-12-24  0:14 UTC (permalink / raw)
  To: 'Junio C Hamano', git

On December 23, 2021 6:52 PM, Junio C Hamano wrote:
> I wonder if we should do something like this, for limited time like a few
> months or so, so that we have something prominently shown at places like
> https://github.com/git/git/
> 
> Signed-off-by: Junio C Hamano <gitster@pobox.com>
> ---
>  README.md | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git c/README.md w/README.md
> index f6f43e78de..76e99fe5bb 100644
> --- c/README.md
> +++ w/README.md
> @@ -7,6 +7,9 @@ Git is a fast, scalable, distributed revision control
system
> with an  unusually rich command set that provides both high-level
operations
> and full access to internals.
> 
> +No part of Git is written in Java, hence it is not susceptible to the
> +log4j vulnerability that has been causing sensation recently.
> +
>  Git is an Open Source project covered by the GNU General Public  License
> version 2 (some parts of it are under different licenses,  compatible with
the
> GPLv2). It was originally written by Linus

This is a good idea. I have had to reassure a whole bunch of people in my
community about this, not really because of git itself but because of the
Maven build associated with EGit/JGit that may (do) have this issue if the
wrong version of log4j is available. I would rather not discuss the
particulars of the attack vector in this mailing list.

--Randall


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [RFC] squelch log4j inquiries
  2021-12-23 23:52 [RFC] squelch log4j inquiries Junio C Hamano
  2021-12-24  0:14 ` rsbecker
@ 2021-12-24 10:59 ` Philip Oakley
  1 sibling, 0 replies; 4+ messages in thread
From: Philip Oakley @ 2021-12-24 10:59 UTC (permalink / raw)
  To: Junio C Hamano, git

On 23/12/2021 23:52, Junio C Hamano wrote:
> I wonder if we should do something like this, for limited time like
> a few months or so, so that we have something prominently shown at
> places like https://github.com/git/git/
>
> Signed-off-by: Junio C Hamano <gitster@pobox.com>
> ---
>  README.md | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git c/README.md w/README.md
> index f6f43e78de..76e99fe5bb 100644
> --- c/README.md
> +++ w/README.md
> @@ -7,6 +7,9 @@ Git is a fast, scalable, distributed revision control system with an
>  unusually rich command set that provides both high-level operations
>  and full access to internals.
>  
> +No part of Git is written in Java, hence it is not susceptible to
> +the log4j vulnerability that has been causing sensation recently.
> +
>  Git is an Open Source project covered by the GNU General Public
>  License version 2 (some parts of it are under different licenses,
>  compatible with the GPLv2). It was originally written by Linus

Would it be worth adding a section to the SECURITY.md file that could
cover these 'non-issue' concerns. The README could point to the
non-issue section. Just a thought.

Philip

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [RFC] squelch log4j inquiries
  2021-12-24  0:14 ` rsbecker
@ 2021-12-25  0:38   ` Junio C Hamano
  0 siblings, 0 replies; 4+ messages in thread
From: Junio C Hamano @ 2021-12-25  0:38 UTC (permalink / raw)
  To: rsbecker; +Cc: git

<rsbecker@nexbridge.com> writes:

>> +No part of Git is written in Java, hence it is not susceptible to the
>> +log4j vulnerability that has been causing sensation recently.
>> +
> ...
> This is a good idea. I have had to reassure a whole bunch of people in my
> community about this, not really because of git itself but because of the
> Maven build associated with EGit/JGit that may (do) have this issue if the
> wrong version of log4j is available. I would rather not discuss the
> particulars of the attack vector in this mailing list.

As you can point those people at the message that started this
thread at the lore archive, I actually think that I already have
done enough to achieve our goal ;-)




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-12-25  0:38 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-12-23 23:52 [RFC] squelch log4j inquiries Junio C Hamano
2021-12-24  0:14 ` rsbecker
2021-12-25  0:38   ` Junio C Hamano
2021-12-24 10:59 ` Philip Oakley

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.