Move chainsaw, net, jdbc, jmx, ... into separate artifacts #5
Comments
|
Comment Hannes Rosenögger: If we split it into several artifacts you first need to figure out which one you need. Given the somewhat temporary nature of reload4j (people are still encouraged to update their apps to newer frameworks) idk if the added complexity and the time needed to create separate artifacts are worth it. |
|
vladimirsitnikov Vladimir Sitnikov added a comment - 2020-01-13 My guess is that people never really need chainsaw in the application classpath, they might know they do not need networking (e.g. to avoid accidental log leak to the network services, etc). |
|
Vladimir Sitnikov added a comment - 2020-01-13 There's also an option to move the code into modules, and still keep them as the default dependency of :reload4j. Then people have the same classes by default, however, they can now exclude unwanted classes without resorting to "deleting classes from jar" |
|
Moving chainsaw to a different module makes sense. As for other modules, it might be too big a change at this stage. |
|
I think removing the Chainsaw component would be good given that there's a the following new CVE against it and its inclusion in the core jar: |
|
@rdifrango While moving Chainsaw to a different artifact is a good idea, the CVE you mention was already fixed in 1.2.18.1 |
|
Thanks @ceki - I missed that. |
Vladimir Sitnikov : It would allow clients to depend on the reduced feature set, and they will be secured in face of unknown vulnerabilities
The text was updated successfully, but these errors were encountered: