| Message ID | xmqqmtkq6frf.fsf@gitster.g (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [RFC] squelch log4j inquiries | expand |
On December 23, 2021 6:52 PM, Junio C Hamano wrote: > I wonder if we should do something like this, for limited time like a few > months or so, so that we have something prominently shown at places like > https://github.com/git/git/ > > Signed-off-by: Junio C Hamano <gitster@pobox.com> > --- > README.md | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git c/README.md w/README.md > index f6f43e78de..76e99fe5bb 100644 > --- c/README.md > +++ w/README.md > @@ -7,6 +7,9 @@ Git is a fast, scalable, distributed revision control system > with an unusually rich command set that provides both high-level operations > and full access to internals. > > +No part of Git is written in Java, hence it is not susceptible to the > +log4j vulnerability that has been causing sensation recently. > + > Git is an Open Source project covered by the GNU General Public License > version 2 (some parts of it are under different licenses, compatible with the > GPLv2). It was originally written by Linus This is a good idea. I have had to reassure a whole bunch of people in my community about this, not really because of git itself but because of the Maven build associated with EGit/JGit that may (do) have this issue if the wrong version of log4j is available. I would rather not discuss the particulars of the attack vector in this mailing list. --Randall
On 23/12/2021 23:52, Junio C Hamano wrote: > I wonder if we should do something like this, for limited time like > a few months or so, so that we have something prominently shown at > places like https://github.com/git/git/ > > Signed-off-by: Junio C Hamano <gitster@pobox.com> > --- > README.md | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git c/README.md w/README.md > index f6f43e78de..76e99fe5bb 100644 > --- c/README.md > +++ w/README.md > @@ -7,6 +7,9 @@ Git is a fast, scalable, distributed revision control system with an > unusually rich command set that provides both high-level operations > and full access to internals. > > +No part of Git is written in Java, hence it is not susceptible to > +the log4j vulnerability that has been causing sensation recently. > + > Git is an Open Source project covered by the GNU General Public > License version 2 (some parts of it are under different licenses, > compatible with the GPLv2). It was originally written by Linus Would it be worth adding a section to the SECURITY.md file that could cover these 'non-issue' concerns. The README could point to the non-issue section. Just a thought. Philip
<rsbecker@nexbridge.com> writes: >> +No part of Git is written in Java, hence it is not susceptible to the >> +log4j vulnerability that has been causing sensation recently. >> + > ... > This is a good idea. I have had to reassure a whole bunch of people in my > community about this, not really because of git itself but because of the > Maven build associated with EGit/JGit that may (do) have this issue if the > wrong version of log4j is available. I would rather not discuss the > particulars of the attack vector in this mailing list. As you can point those people at the message that started this thread at the lore archive, I actually think that I already have done enough to achieve our goal ;-)
diff --git c/README.md w/README.md index f6f43e78de..76e99fe5bb 100644 --- c/README.md +++ w/README.md @@ -7,6 +7,9 @@ Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. +No part of Git is written in Java, hence it is not susceptible to +the log4j vulnerability that has been causing sensation recently. + Git is an Open Source project covered by the GNU General Public License version 2 (some parts of it are under different licenses, compatible with the GPLv2). It was originally written by Linus
I wonder if we should do something like this, for limited time like a few months or so, so that we have something prominently shown at places like https://github.com/git/git/ Signed-off-by: Junio C Hamano <gitster@pobox.com> --- README.md | 3 +++ 1 file changed, 3 insertions(+)