Fork me on GitHub
#announcements
<
2021-12-10
>
otfrom10:12:36

0-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string. https://www.lunasec.io/docs/blog/log4j-zero-day/

👍 25
🚨 10
1
1
😱 4
otfrom10:12:04

lots of logging libraries use log4j at the bottom

eggsyntax14:12:07

Great choice to post, thank you!

zane17:12:21

Might even be worth editing the original message to give a summary given how severe this is. People might not click through.

👍 1
henryw37415:12:13

I bumped log4j2 deps in https://github.com/henryw374/clojure.log4j2 ... not sure if anyone apart from me using it 🙂

❤️ 1
Daniel Slutsky14:12:54

This post suggests some thinking around our community practices, where some common goals could potentially enjoy new community structures. https://clojureverse.org/t/rethinking-community-scope/ It is shared here under #announcements since it is probably the beginning of a new project. Thoughts and comments would help a lot. 🙏

❤️ 9
2
👀 1
😻 1
Alex Miller (Clojure team)15:12:32

org.clojure/tools.logging 1.2.1 is now available • tools.logging doesn't actually have a dependency on log4j (you bring your own), but it does use log4j as a test dependency and this bumps all those deps to the new versions

🎉 19
🙏 9
👍 4
❤️ 7
1
1
Alex Miller (Clojure team)17:12:33

https://github.com/clojure/tools.namespace 1.2.0 is now available • Fix https://clojure.atlassian.net/browse/TNS-51: Support namespaces as strings in require statements for CLJS (thanks @borkdude!) • Fix https://clojure.atlassian.net/browse/TNS-57: Support :require-macros for CLJS namespaces (thanks @borkdude!)

borkdude 17
borkdude19:12:43

Not a lot of people seem to be aware of this yet, but we also have a #releases channel for minor library updates. Feel free to join if you're interested in receiving those. (cc @seancorfield - perhaps we should mention that channel in the topic of this one?)

quoll20:12:23

Thanks for this! I often have minor bug fixes that get released, but I don’t think it’s worthy of a post to #announcements. Now I know where to announce them

seancorfield20:12:03

We're pretty much at the limit of the topic length already and it's already truncated for smaller screens at Do not cross po...

Lukas Domagala20:12:00

maybe a pinned post then?

mynomoto20:12:51

There is description and topic and some of they are redundant atm.

seancorfield20:12:11

@U05094X3J In our experience as Admins, very few people seem to read the description, unfortunately (and a lot of people don't even read the topic!).

mynomoto20:12:52

Yeah, that makes sense.

pez20:12:39

Generally I think we shouldn’t hesitate too much about updating in this channel, #releases is fine and all, but anyway, if there is an update to stuff people use, it is often worth an announcement, imo.

borkdude20:12:30

Before we had the "rule" that one shouldn't post too many updates in a row about the same project and that you should wait until the history didn't show the previous announcement anymore. But now we have all history, so I guess that rule has to be slightly changed. The window was a few weeks. Personally I try to stick to 1 update per month about the same project.

pez20:12:22

I always thought that “rule” was shite, tbh.

borkdude20:12:30

This rule came into existence because one person complained about too many updates.

borkdude20:12:48

But I guess rules can change over time. Perhaps it's good to call them guidelines

mynomoto20:12:22

I like the one per month rule. We are big enough that if people start announcing every update it stops being useful.

1
👍 3
pez20:12:24

I'm more like that it is wonderful and beautiful with updates. And that it is more about the update content than the time between them.

👍 2
1
seancorfield20:12:39

@U0ETXRFEW We had some very vocal complaints about "Hey, that library has posted five updates in the last month! It's too noisy!" -- hence #releases

seancorfield20:12:24

So, yeah, about "once a month" for #announcements unless it's an important, major release (such as a critical security fix, for example).

🚨 1
👀 1
seancorfield20:12:15

I think if you have dedicated channels for your projects, it's fine to have every release mentioned in there. Heck, even wire up github to "announce" every commit/PR/whatever in your own project's channel 🙂

👍 1
pez21:12:22

I remember those complaints. One person. And I totally was thinking the opposite. "Five updates this month! Wow, that is awesome!”

💯 3
vemv06:12:54

A problem is that for every person having an opinion at all (in either direction) there will be 10, or even 100 which opinions we'll never possibly know of :) Maybe they don't even have a formed opinion, so perhaps one can default to a pessimistic interpretation. As someone who helps out with the maintenance of multiple high-impact clj projects, I can say that user feedback can be hard to gather, so treating attention as a scarce resource most likely helps. (If it doesn't help you, please reflect on the necessities of other projects, and whether a stronger, more diverse community does in fact come out as a result of having a middle ground in place)

seancorfield07:12:56

Right, which is why we have the "rules" and why #releases exists (and why we're strict about threads in #announcements). Many people do find the "noise" annoying enough to tune out and then the value of those project announcements is just wasted. Information overload is a real problem. As an Admin, I try to stay neutral and will do what I can, with the other Admins, to satisfy the squeakiest wheels without reducing value for others, where we can. As a regular user of Slack, I have #releases muted and check it occasionally but I read everything in #announcements so I want it to have a very high signal-to-noise ratio and seeing repeated announcements from prolific projects is very annoying, even from projects that I use every day (and especially from projects I have zero interest in).

👍 3
🙏 1