Fork me on GitHub

0-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string.

👍 25
🚨 10
😱 4

lots of logging libraries use log4j at the bottom


Great choice to post, thank you!


Might even be worth editing the original message to give a summary given how severe this is. People might not click through.

👍 1

I bumped log4j2 deps in ... not sure if anyone apart from me using it 🙂

❤️ 1
Daniel Slutsky14:12:54

This post suggests some thinking around our community practices, where some common goals could potentially enjoy new community structures. It is shared here under #announcements since it is probably the beginning of a new project. Thoughts and comments would help a lot. 🙏

❤️ 9
👀 1
😻 1
Alex Miller (Clojure team)15:12:32

org.clojure/tools.logging 1.2.1 is now available • tools.logging doesn't actually have a dependency on log4j (you bring your own), but it does use log4j as a test dependency and this bumps all those deps to the new versions

🎉 19
🙏 9
👍 4
❤️ 7
Alex Miller (Clojure team)17:12:33 1.2.0 is now available • Fix Support namespaces as strings in require statements for CLJS (thanks @borkdude!) • Fix Support :require-macros for CLJS namespaces (thanks @borkdude!)

borkdude 17

Not a lot of people seem to be aware of this yet, but we also have a #releases channel for minor library updates. Feel free to join if you're interested in receiving those. (cc @seancorfield - perhaps we should mention that channel in the topic of this one?)


Thanks for this! I often have minor bug fixes that get released, but I don’t think it’s worthy of a post to #announcements. Now I know where to announce them


We're pretty much at the limit of the topic length already and it's already truncated for smaller screens at Do not cross po...

Lukas Domagala20:12:00

maybe a pinned post then?


There is description and topic and some of they are redundant atm.


@U05094X3J In our experience as Admins, very few people seem to read the description, unfortunately (and a lot of people don't even read the topic!).


Yeah, that makes sense.


Generally I think we shouldn’t hesitate too much about updating in this channel, #releases is fine and all, but anyway, if there is an update to stuff people use, it is often worth an announcement, imo.


Before we had the "rule" that one shouldn't post too many updates in a row about the same project and that you should wait until the history didn't show the previous announcement anymore. But now we have all history, so I guess that rule has to be slightly changed. The window was a few weeks. Personally I try to stick to 1 update per month about the same project.


I always thought that “rule” was shite, tbh.


This rule came into existence because one person complained about too many updates.


But I guess rules can change over time. Perhaps it's good to call them guidelines


I like the one per month rule. We are big enough that if people start announcing every update it stops being useful.

👍 3

I'm more like that it is wonderful and beautiful with updates. And that it is more about the update content than the time between them.

👍 2

@U0ETXRFEW We had some very vocal complaints about "Hey, that library has posted five updates in the last month! It's too noisy!" -- hence #releases


So, yeah, about "once a month" for #announcements unless it's an important, major release (such as a critical security fix, for example).

🚨 1
👀 1

I think if you have dedicated channels for your projects, it's fine to have every release mentioned in there. Heck, even wire up github to "announce" every commit/PR/whatever in your own project's channel 🙂

👍 1

I remember those complaints. One person. And I totally was thinking the opposite. "Five updates this month! Wow, that is awesome!”

💯 3

A problem is that for every person having an opinion at all (in either direction) there will be 10, or even 100 which opinions we'll never possibly know of :) Maybe they don't even have a formed opinion, so perhaps one can default to a pessimistic interpretation. As someone who helps out with the maintenance of multiple high-impact clj projects, I can say that user feedback can be hard to gather, so treating attention as a scarce resource most likely helps. (If it doesn't help you, please reflect on the necessities of other projects, and whether a stronger, more diverse community does in fact come out as a result of having a middle ground in place)


Right, which is why we have the "rules" and why #releases exists (and why we're strict about threads in #announcements). Many people do find the "noise" annoying enough to tune out and then the value of those project announcements is just wasted. Information overload is a real problem. As an Admin, I try to stay neutral and will do what I can, with the other Admins, to satisfy the squeakiest wheels without reducing value for others, where we can. As a regular user of Slack, I have #releases muted and check it occasionally but I read everything in #announcements so I want it to have a very high signal-to-noise ratio and seeing repeated announcements from prolific projects is very annoying, even from projects that I use every day (and especially from projects I have zero interest in).

👍 3
🙏 1