Piotr P. Karwasz
@piotr.karwasz.org
Java & Open Source expert | Apache Software Foundation member | VP Logging Services & Ecma Relations | Father of three wonderful daughters
Reposted by Piotr P. Karwasz
🚀 Log4j 2.25.0 is out! Highlights include native GraalVM support and improved stack trace control and datetime formatting. Check out the full release notes: logging.apache.org/log4j/2.x/re...
Release notes :: Apache Log4j
logging.apache.org
June 16, 2025 at 8:21 PM
🚀 Log4j 2.25.0 is out! Highlights include native GraalVM support and improved stack trace control and datetime formatting. Check out the full release notes: logging.apache.org/log4j/2.x/re...
We're teaming up with Open Source Economy to learn what users expect from critical Java libraries like #apache-commons, #httpclient, #log4j, #jackson and more—especially around version support, issues and security.
Help us improve support by filling out this short survey: forms.gle/5Ad81MMcL7sy...
Help us improve support by filling out this short survey: forms.gle/5Ad81MMcL7sy...
Java Critical Libraries Community Survey
Tell Us About Your Needs
We’re gathering feedback on a set of Java libraries that the OpenSSF has classified as critical— including Log4j, HttpComponents, FasterXML Jackson & Woodstox, SnakeYAML, lu...
forms.gle
June 11, 2025 at 9:39 AM
We're teaming up with Open Source Economy to learn what users expect from critical Java libraries like #apache-commons, #httpclient, #log4j, #jackson and more—especially around version support, issues and security.
Help us improve support by filling out this short survey: forms.gle/5Ad81MMcL7sy...
Help us improve support by filling out this short survey: forms.gle/5Ad81MMcL7sy...
I just released version `0.2.0` of SBOM Enforcer Maven Plugin.
This plugin does for (CycloneDX) SBOMs what the Maven Enforcer Plugin does for POM files.
Although the current number of built-in rules is small, the plugin is extensible and other built-in rules are on their way!
This plugin does for (CycloneDX) SBOMs what the Maven Enforcer Plugin does for POM files.
Although the current number of built-in rules is small, the plugin is extensible and other built-in rules are on their way!
Release 0.2.0 · sbom-enforcer/sbom-enforcer
What's Changed
fix: possible NPEs in handling Maven and CycloneDX models by @ppkarwasz in #42
fix: handle modules with packaging pom by @ppkarwasz in #43
fix: set global workflow permissions to em...
github.com
April 28, 2025 at 5:53 PM
I just released version `0.2.0` of SBOM Enforcer Maven Plugin.
This plugin does for (CycloneDX) SBOMs what the Maven Enforcer Plugin does for POM files.
Although the current number of built-in rules is small, the plugin is extensible and other built-in rules are on their way!
This plugin does for (CycloneDX) SBOMs what the Maven Enforcer Plugin does for POM files.
Although the current number of built-in rules is small, the plugin is extensible and other built-in rules are on their way!
Reposted by Piotr P. Karwasz
A coalition of CVE Board members launched a new CVE Foundation "to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program."
www.thecvefoundation.org
www.thecvefoundation.org
![Press release from the CVE Foundation:
CVE Foundation Launched to Secure the Future of the CVE Program
[Bremerton, Washington] – The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a critical pillar of the global cybersecurity infrastructure for 25 years.
Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract. While this structure has supported the program’s growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor.
This concern has become urgent following an April 15, 2025 letter from MITRE notifying the CVE Board that the U.S. government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility.
In response, a coalition of longtime, active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation. The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.
“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the Foundation. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work—from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”
The formation of the CVE Foundation marks a major step toward eliminating a single point of failure in the vulnerability management ecosystem and ensuring…](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:xjkqe2uyxc2tpimt3b2vyqhg/bafkreihltvjroekt6vveygg4rqdn5e6worxwdpvjiqq2sycealimufqlqa@jpeg)
April 16, 2025 at 8:12 AM
A coalition of CVE Board members launched a new CVE Foundation "to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program."
www.thecvefoundation.org
www.thecvefoundation.org
Backward compatible alternative to CVE:
GCVE - Global CVE Allocation System Announced
Introducing the Global CVE (GCVE) Allocation System (https://gcve.eu), a new decentralized approach to identifying and numbering security vulnerabilities. GCVE empowers independent GCVE Numbering Auth...
gcve.eu
April 16, 2025 at 10:52 AM
Backward compatible alternative to CVE:
Reposted by Piotr P. Karwasz
"CVE Foundation Launched to Secure the Future of the CVE Program"
Please note this is not an official CVE Board action, but the action of a rogue group within the CVE Board to try and save the CVE Program.
www.linkedin.com/in/...
bsky.app/profile/cve...
Please note this is not an official CVE Board action, but the action of a rogue group within the CVE Board to try and save the CVE Program.
www.linkedin.com/in/...
bsky.app/profile/cve...
April 16, 2025 at 8:00 AM
"CVE Foundation Launched to Secure the Future of the CVE Program"
Please note this is not an official CVE Board action, but the action of a rogue group within the CVE Board to try and save the CVE Program.
www.linkedin.com/in/...
bsky.app/profile/cve...
Please note this is not an official CVE Board action, but the action of a rogue group within the CVE Board to try and save the CVE Program.
www.linkedin.com/in/...
bsky.app/profile/cve...
Let us analyze the exploitability of vulnerabilities in OSS together. In collaboration with OpenRefactory, we developed a prototype to analyze the exploitability of CVEs all along the dependency chain and submit that data to the OSS projects themselves. More info soon at:
github.com/copernik-eu/...
github.com/copernik-eu/...
VEX Generation at Scale
YouTube video by Piotr P. Karwasz
www.youtube.com
April 16, 2025 at 6:07 AM
Let us analyze the exploitability of vulnerabilities in OSS together. In collaboration with OpenRefactory, we developed a prototype to analyze the exploitability of CVEs all along the dependency chain and submit that data to the OSS projects themselves. More info soon at:
github.com/copernik-eu/...
github.com/copernik-eu/...
Reposted by Piotr P. Karwasz
BREAKING.
From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members.
From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members.
April 15, 2025 at 5:23 PM
BREAKING.
From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members.
From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members.
@apache.org Kafka has released version 4.0.0 and is now using Log4j Core 2 as logging backend! @logging.apache.org
Apache Kafka 4.0.0 is released. Check out the release notes here: dlcdn.apache.org/kafka/4.0.0/...
Below is a summary of the JIRA issues addressed in the 4.0.0 release of Kafka. For full documentation of the release, a guide to get started, and information about the project, see the Kafka project site.
dlcdn.apache.org
March 20, 2025 at 6:08 AM
@apache.org Kafka has released version 4.0.0 and is now using Log4j Core 2 as logging backend! @logging.apache.org
See all the talks of ASF contributors at FOSDEM
[New Blog] FOSDEM 2025 Recap: Open Source Contributors Unite to Collaborate and Help Advance Apache Software Projects https://buff.ly/3X4GZ2H
#opensource #FOSDEM
#opensource #FOSDEM
February 22, 2025 at 7:33 AM
See all the talks of ASF contributors at FOSDEM
Unfortunately AI is not limited to e-mails. We are receiving an increasing number of AI-generated issue reports and we would need an AI to close those reports automatically… 😀
February 20, 2025 at 12:37 PM
Unfortunately AI is not limited to e-mails. We are receiving an increasing number of AI-generated issue reports and we would need an AI to close those reports automatically… 😀
Reposted by Piotr P. Karwasz
On 11 June, OFE will be in Warsaw to host the next edition of the Capital Series.
We would like to extend our sincere gratitude to our sponsor and partners: APELL, Apache Software Foundation, Linux Professional Institute, PIIT, Red Hat.
Register: openforumeurope.org/event/capita...
#Poland25EU
We would like to extend our sincere gratitude to our sponsor and partners: APELL, Apache Software Foundation, Linux Professional Institute, PIIT, Red Hat.
Register: openforumeurope.org/event/capita...
#Poland25EU
February 13, 2025 at 12:20 PM
On 11 June, OFE will be in Warsaw to host the next edition of the Capital Series.
We would like to extend our sincere gratitude to our sponsor and partners: APELL, Apache Software Foundation, Linux Professional Institute, PIIT, Red Hat.
Register: openforumeurope.org/event/capita...
#Poland25EU
We would like to extend our sincere gratitude to our sponsor and partners: APELL, Apache Software Foundation, Linux Professional Institute, PIIT, Red Hat.
Register: openforumeurope.org/event/capita...
#Poland25EU
Reposted by Piotr P. Karwasz
We’re excited to announce that our upcoming Capital Series Poland will be hosted under the auspices of the Polish presidency of the Council of the European Union on 11 June in Warsaw.
Register here to secure a spot and read more:
openforumeurope.org/event/capita...
#Poland25EU
Register here to secure a spot and read more:
openforumeurope.org/event/capita...
#Poland25EU
February 10, 2025 at 3:59 PM
We’re excited to announce that our upcoming Capital Series Poland will be hosted under the auspices of the Polish presidency of the Council of the European Union on 11 June in Warsaw.
Register here to secure a spot and read more:
openforumeurope.org/event/capita...
#Poland25EU
Register here to secure a spot and read more:
openforumeurope.org/event/capita...
#Poland25EU
Did you miss my talk at FOSDEM? Are you wondering what you should do when Log5Shell comes out? The video has been published: video.fosdem.org/2025/ub4132/...
video.fosdem.org
February 10, 2025 at 9:03 AM
Did you miss my talk at FOSDEM? Are you wondering what you should do when Log5Shell comes out? The video has been published: video.fosdem.org/2025/ub4132/...
Reposted by Piotr P. Karwasz
Jan Kowalleck, Sarah Hoffmann, @hugovk.dev, @mklu.bsky.social, Stefan Eissing und Denis Ovsienko sind der erste Jahrgang des Sovereign Tech Fellowship. Wir heißen die sechs Maintainer*innen willkommen, die am einjährigen Pilotprogramm 1/2
February 6, 2025 at 11:47 AM
Jan Kowalleck, Sarah Hoffmann, @hugovk.dev, @mklu.bsky.social, Stefan Eissing und Denis Ovsienko sind der erste Jahrgang des Sovereign Tech Fellowship. Wir heißen die sechs Maintainer*innen willkommen, die am einjährigen Pilotprogramm 1/2
Reposted by Piotr P. Karwasz
This is gold! An AI pretends to be an old confused lady and wastes scammers time.
www.theguardian.com/technology/v...
www.theguardian.com/technology/v...
'I'm a bit lost now': Daisy the AI bot speaks to scammer – video
O2 has introduced “AI granny” Daisy for a short period to show what could be done with artificial intelligence to counter the scourge of scammers
www.theguardian.com
February 4, 2025 at 1:02 PM
This is gold! An AI pretends to be an old confused lady and wastes scammers time.
www.theguardian.com/technology/v...
www.theguardian.com/technology/v...
Reposted by Piotr P. Karwasz
Outlier AI. You are doing it wrong.
Hiring people to post completely nonsenese or copy&pasted issues in reputable open-source repositories - and make maintainers train your AI on it ? not good.
There are 50 such issues in last few days in @airflow repo [1] and counting. More details in [2] […]
Hiring people to post completely nonsenese or copy&pasted issues in reputable open-source repositories - and make maintainers train your AI on it ? not good.
There are 50 such issues in last few days in @airflow repo [1] and counting. More details in [2] […]
Original post on fosstodon.org
fosstodon.org
January 26, 2025 at 7:51 PM
Outlier AI. You are doing it wrong.
Hiring people to post completely nonsenese or copy&pasted issues in reputable open-source repositories - and make maintainers train your AI on it ? not good.
There are 50 such issues in last few days in @airflow repo [1] and counting. More details in [2] […]
Hiring people to post completely nonsenese or copy&pasted issues in reputable open-source repositories - and make maintainers train your AI on it ? not good.
There are 50 such issues in last few days in @airflow repo [1] and counting. More details in [2] […]
Reposted by Piotr P. Karwasz
Capital Series is heading to Warsaw on June 11th! 🌍
Join us to explore how #OpenSource can drive Poland's digitalization & security goals during its EU Presidency. 🤝
In partnership with Red Hat Poland, APELL, PIIT, LPI & Apache Software Foundation.
More to come! 👉 lnkd.in/e8SeArqb
#Poland25eu
Join us to explore how #OpenSource can drive Poland's digitalization & security goals during its EU Presidency. 🤝
In partnership with Red Hat Poland, APELL, PIIT, LPI & Apache Software Foundation.
More to come! 👉 lnkd.in/e8SeArqb
#Poland25eu
January 8, 2025 at 12:52 PM
Capital Series is heading to Warsaw on June 11th! 🌍
Join us to explore how #OpenSource can drive Poland's digitalization & security goals during its EU Presidency. 🤝
In partnership with Red Hat Poland, APELL, PIIT, LPI & Apache Software Foundation.
More to come! 👉 lnkd.in/e8SeArqb
#Poland25eu
Join us to explore how #OpenSource can drive Poland's digitalization & security goals during its EU Presidency. 🤝
In partnership with Red Hat Poland, APELL, PIIT, LPI & Apache Software Foundation.
More to come! 👉 lnkd.in/e8SeArqb
#Poland25eu
Nice guide to navigate through all the events of the EU Open Source week.
Home - EU Open Source Week
opensourceweek.eu
January 8, 2025 at 1:54 PM
Nice guide to navigate through all the events of the EU Open Source week.
Happy New Year to everyone!
Now we have less than 1074 days until the Cyber Resilience Act obligations will apply.
Now we have less than 1074 days until the Cyber Resilience Act obligations will apply.
Cyber Resilience Act
Countdown to Dec 11, 2027. Showing days, hours, minutes and seconds ticking down to 0
www.timeanddate.com
January 1, 2025 at 11:37 AM
Happy New Year to everyone!
Now we have less than 1074 days until the Cyber Resilience Act obligations will apply.
Now we have less than 1074 days until the Cyber Resilience Act obligations will apply.
After another round of (automatically tested and merged) Dependabot upgrades, my thoughts return to the eternal question:
How to inform `libfoo` users that `libfoo` only requires `libbar` 1.0.0 (or later), but I have successfully tested it with `libbar` version 1.23.45?
How to inform `libfoo` users that `libfoo` only requires `libbar` 1.0.0 (or later), but I have successfully tested it with `libbar` version 1.23.45?
December 20, 2024 at 12:05 PM
After another round of (automatically tested and merged) Dependabot upgrades, my thoughts return to the eternal question:
How to inform `libfoo` users that `libfoo` only requires `libbar` 1.0.0 (or later), but I have successfully tested it with `libbar` version 1.23.45?
How to inform `libfoo` users that `libfoo` only requires `libbar` 1.0.0 (or later), but I have successfully tested it with `libbar` version 1.23.45?
Reposted by Piotr P. Karwasz
Had a really good meeting with the #SCITT community today. I keep using their open meetings to get input for the #OWASP Transparency Exchange API - how to add transparency logs and monitor for abuse, changes and manipulation. Software transparency is a lot about trust.
#SBOM #TEA
#SBOM #TEA
December 16, 2024 at 8:52 PM
@logging.apache.org, we have just released Apache Log4j `2.24.3`.
Log4j API 2.24.3 will be used at the same time by future Log4j Core 2.x and Log4j Core 3.x releases.
Log4j API 2.24.3 will be used at the same time by future Log4j Core 2.x and Log4j Core 3.x releases.
Release Notes :: Apache Log4j
logging.apache.org
December 13, 2024 at 1:41 PM
@logging.apache.org, we have just released Apache Log4j `2.24.3`.
Log4j API 2.24.3 will be used at the same time by future Log4j Core 2.x and Log4j Core 3.x releases.
Log4j API 2.24.3 will be used at the same time by future Log4j Core 2.x and Log4j Core 3.x releases.