Lightnews — Scholar-powered news

Piotr P. Karwasz @piotr.karwasz.org · 14d

🚀 Great work, Tatu!

We’ve just upgraded Log4j 3 to use Jackson 3 🎉
👉 github.com/apache/loggi...

Next up: gearing up for a GA release by the end of the year.

Fun fact: Log4j 3 is one year “younger”, branched in 2018, so we are next in line for graduation.

Upgrade Jackson from 2.x to 3.0.0-rc8 by kurtostfeld · Pull Request #3701 · apache/logging-log4j2

Upgrade Jackson from 2.x to 3.0.0-rc5

github.com

1 1

Reposted by Piotr P. Karwasz

Cowtown Coder @cowtowncoder.bsky.social · 17d

Jackson 3.0.0 (GA) release now starting!

github.com/FasterXML/ja...

#java #json #xml #csv #cbor #csv

Jackson Release 3.0

Main Portal page for the Jackson project. Contribute to FasterXML/jackson development by creating an account on GitHub.

github.com

4 17 46

Piotr P. Karwasz @piotr.karwasz.org · Jun 16

🚀 Log4j 2.25.0 is out! Highlights include native GraalVM support and improved stack trace control and datetime formatting. Check out the full release notes: logging.apache.org/log4j/2.x/re...

Release notes :: Apache Log4j

logging.apache.org

4 14

Piotr P. Karwasz @piotr.karwasz.org · Jun 11

We're teaming up with Open Source Economy to learn what users expect from critical Java libraries like #apache-commons, #httpclient, #log4j, #jackson and more—especially around version support, issues and security.

Help us improve support by filling out this short survey: forms.gle/5Ad81MMcL7sy...

Java Critical Libraries Community Survey

Tell Us About Your Needs We’re gathering feedback on a set of Java libraries that the OpenSSF has classified as critical— including Log4j, HttpComponents, FasterXML Jackson & Woodstox, SnakeYAML, lu...

forms.gle

5 2

Piotr P. Karwasz @piotr.karwasz.org · Apr 28

I just released version `0.2.0` of SBOM Enforcer Maven Plugin.

This plugin does for (CycloneDX) SBOMs what the Maven Enforcer Plugin does for POM files.
Although the current number of built-in rules is small, the plugin is extensible and other built-in rules are on their way!

Release 0.2.0 · sbom-enforcer/sbom-enforcer

What's Changed fix: possible NPEs in handling Maven and CycloneDX models by @ppkarwasz in #42 fix: handle modules with packaging pom by @ppkarwasz in #43 fix: set global workflow permissions to em...

github.com

Reposted by Piotr P. Karwasz

Sergiu Gatlan @serghei.bsky.social · Apr 16

A coalition of CVE Board members launched a new CVE Foundation "to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program."

www.thecvefoundation.org

Press release from the CVE Foundation:

CVE Foundation Launched to Secure the Future of the CVE Program

[Bremerton, Washington] – The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a critical pillar of the global cybersecurity infrastructure for 25 years.

Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract. While this structure has supported the program’s growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor.

This concern has become urgent following an April 15, 2025 letter from MITRE notifying the CVE Board that the U.S. government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility.

In response, a coalition of longtime, active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation. The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.

“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the Foundation. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work—from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”

The formation of the CVE Foundation marks a major step toward eliminating a single point of failure in the vulnerability management ecosystem and ensuring…

1 13 26

Piotr P. Karwasz @piotr.karwasz.org · Apr 16

Backward compatible alternative to CVE:

GCVE - Global CVE Allocation System Announced

Introducing the Global CVE (GCVE) Allocation System (https://gcve.eu), a new decentralized approach to identifying and numbering security vulnerabilities. GCVE empowers independent GCVE Numbering Auth...

gcve.eu

2

Reposted by Piotr P. Karwasz

Tib3rius @tib3rius.bsky.social · Apr 16

"CVE Foundation Launched to Secure the Future of the CVE Program"

Please note this is not an official CVE Board action, but the action of a rogue group within the CVE Board to try and save the CVE Program.

www.linkedin.com/in/...

bsky.app/profile/cve...

7 26 52

Piotr P. Karwasz @piotr.karwasz.org · Apr 16

Let us analyze the exploitability of vulnerabilities in OSS together. In collaboration with OpenRefactory, we developed a prototype to analyze the exploitability of CVEs all along the dependency chain and submit that data to the OSS projects themselves. More info soon at:
github.com/copernik-eu/...

VEX Generation at Scale

YouTube video by Piotr P. Karwasz

www.youtube.com

Piotr P. Karwasz @piotr.karwasz.org · Apr 16

NVD stopped working one year ago. They do not review and enrich CVE records with CPE identifiers any more. They only copy the records from the CVE database.

Reposted by Piotr P. Karwasz

Tib3rius @tib3rius.bsky.social · Apr 15

BREAKING.

From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members.

37 420 690

Piotr P. Karwasz @piotr.karwasz.org · Mar 20

@apache.org Kafka has released version 4.0.0 and is now using Log4j Core 2 as logging backend! @logging.apache.org

Apache Kafka News @apache-kafka-news.bsky.social · Mar 18

Apache Kafka 4.0.0 is released. Check out the release notes here: dlcdn.apache.org/kafka/4.0.0/...

Below is a summary of the JIRA issues addressed in the 4.0.0 release of Kafka. For full documentation of the release, a guide to get started, and information about the project, see the Kafka project site.

dlcdn.apache.org

1

Piotr P. Karwasz @piotr.karwasz.org · Mar 15

They might be right: AI will write 90% of the software, but only the remaining 10% will work.

1

Piotr P. Karwasz @piotr.karwasz.org · Mar 5

How do you generate the attestations? I can not find a relevant section in your `release` workflow.

1

Piotr P. Karwasz @piotr.karwasz.org · Mar 5

Is NVD still funded at all?

1

Piotr P. Karwasz @piotr.karwasz.org · Feb 22

See all the talks of ASF contributors at FOSDEM

Apache Software Foundation (The ASF) @apache.org · Feb 17

[New Blog] FOSDEM 2025 Recap: Open Source Contributors Unite to Collaborate and Help Advance Apache Software Projects https://buff.ly/3X4GZ2H

#opensource #FOSDEM

1 1

Piotr P. Karwasz @piotr.karwasz.org · Feb 20

Unfortunately AI is not limited to e-mails. We are receiving an increasing number of AI-generated issue reports and we would need an AI to close those reports automatically… 😀

1 2

Reposted by Piotr P. Karwasz

OpenForum Europe @openforumeurope.org · Feb 13

On 11 June, OFE will be in Warsaw to host the next edition of the Capital Series.

We would like to extend our sincere gratitude to our sponsor and partners: APELL, Apache Software Foundation, Linux Professional Institute, PIIT, Red Hat.

Register: openforumeurope.org/event/capita...

#Poland25EU

1

Reposted by Piotr P. Karwasz

OpenForum Europe @openforumeurope.org · Feb 10

We’re excited to announce that our upcoming Capital Series Poland will be hosted under the auspices of the Polish presidency of the Council of the European Union on 11 June in Warsaw.

Register here to secure a spot and read more:

openforumeurope.org/event/capita...

#Poland25EU

2 1

Piotr P. Karwasz @piotr.karwasz.org · Feb 10

Did you miss my talk at FOSDEM? Are you wondering what you should do when Log5Shell comes out? The video has been published: video.fosdem.org/2025/ub4132/...

video.fosdem.org

Piotr P. Karwasz @piotr.karwasz.org · Feb 10

The taximeter was not working either, right? I guess you just got scammed.

1

Piotr P. Karwasz @piotr.karwasz.org · Feb 9

It is interesting to see that 49% of your responders is still experiencing security vulnerabilities from #log4j in 2024. I am really curious what does it mean. Since fixes for all known vulnerabilities are also available for Java 6 and 7, didn't they upgrade in 2021?

3 2

Reposted by Piotr P. Karwasz

Sovereign Tech Agency @sovereign.tech · Feb 6

Jan Kowalleck, Sarah Hoffmann, @hugovk.dev, @mklu.bsky.social, Stefan Eissing und Denis Ovsienko sind der erste Jahrgang des Sovereign Tech Fellowship. Wir heißen die sechs Maintainer*innen willkommen, die am einjährigen Pilotprogramm 1/2

1 2 5

Reposted by Piotr P. Karwasz

Alros @alros.bsky.social · Feb 4

This is gold! An AI pretends to be an old confused lady and wastes scammers time.

www.theguardian.com/technology/v...

'I'm a bit lost now': Daisy the AI bot speaks to scammer – video

O2 has introduced “AI granny” Daisy for a short period to show what could be done with artificial intelligence to counter the scourge of scammers

www.theguardian.com

1 2