Piotr P. Karwasz

Man im Laborkittel zeigt auf die Tafel, wo geschrieben steht: Every single person who confuses correation and causation ends up dying

Man kann halt nicht vorsichtig genug sein

Upgrade Jackson from 2.x to 3.0.0-rc8 by kurtostfeld · Pull Request #3701 · apache/logging-log4j2 Upgrade Jackson from 2.x to 3.0.0-rc5

🚀 Great work, Tatu!

We’ve just upgraded Log4j 3 to use Jackson 3 🎉
👉 github.com/apache/loggi...

Next up: gearing up for a GA release by the end of the year.

Fun fact: Log4j 3 is one year “younger”, branched in 2018, so we are next in line for graduation.

Jackson Release 3.0 Main Portal page for the Jackson project. Contribute to FasterXML/jackson development by creating an account on GitHub.

Jackson 3.0.0 (GA) release now starting!

github.com/FasterXML/ja...

#java #json #xml #csv #cbor #csv

🚀 Log4j 2.25.0 is out! Highlights include native GraalVM support and improved stack trace control and datetime formatting. Check out the full release notes: logging.apache.org/log4j/2.x/re...

Java Critical Libraries Community Survey Tell Us About Your Needs We’re gathering feedback on a set of Java libraries that the OpenSSF has classified as critical— including Log4j, HttpComponents, FasterXML Jackson & Woodstox, SnakeYAML, lu...

We're teaming up with Open Source Economy to learn what users expect from critical Java libraries like #apache-commons, #httpclient, #log4j, #jackson and more—especially around version support, issues and security.

Help us improve support by filling out this short survey: forms.gle/5Ad81MMcL7sy...

Release 0.2.0 · sbom-enforcer/sbom-enforcer What's Changed fix: possible NPEs in handling Maven and CycloneDX models by @ppkarwasz in #42 fix: handle modules with packaging pom by @ppkarwasz in #43 fix: set global workflow permissions to em...

I just released version `0.2.0` of SBOM Enforcer Maven Plugin.

This plugin does for (CycloneDX) SBOMs what the Maven Enforcer Plugin does for POM files.
Although the current number of built-in rules is small, the plugin is extensible and other built-in rules are on their way!

Press release from the CVE Foundation: CVE Foundation Launched to Secure the Future of the CVE Program [Bremerton, Washington] – The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a critical pillar of the global cybersecurity infrastructure for 25 years. Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract. While this structure has supported the program’s growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor. This concern has become urgent following an April 15, 2025 letter from MITRE notifying the CVE Board that the U.S. government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility. In response, a coalition of longtime, active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation. The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide. “CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the Foundation. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work—from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.” The formation of the CVE Foundation marks a major step toward eliminating a single point of failure in the vulnerability management ecosystem and ensuring…

A coalition of CVE Board members launched a new CVE Foundation "to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program."

www.thecvefoundation.org

Backward compatible alternative to CVE:

"CVE Foundation Launched to Secure the Future of the CVE Program"

Please note this is not an official CVE Board action, but the action of a rogue group within the CVE Board to try and save the CVE Program.

www.linkedin.com/in/...

bsky.app/profile/cve...

VEX Generation at Scale YouTube video by Piotr P. Karwasz

Let us analyze the exploitability of vulnerabilities in OSS together. In collaboration with OpenRefactory, we developed a prototype to analyze the exploitability of CVEs all along the dependency chain and submit that data to the OSS projects themselves. More info soon at:
github.com/copernik-eu/...

NVD stopped working one year ago. They do not review and enrich CVE records with CPE identifiers any more. They only copy the records from the CVE database.

BREAKING.

From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members.

@apache.org Kafka has released version 4.0.0 and is now using Log4j Core 2 as logging backend! @logging.apache.org

They might be right: AI will write 90% of the software, but only the remaining 10% will work.

How do you generate the attestations? I can not find a relevant section in your `release` workflow.

Is NVD still funded at all?

See all the talks of ASF contributors at FOSDEM

Unfortunately AI is not limited to e-mails. We are receiving an increasing number of AI-generated issue reports and we would need an AI to close those reports automatically… 😀

On 11 June, OFE will be in Warsaw to host the next edition of the Capital Series.

We would like to extend our sincere gratitude to our sponsor and partners: APELL, Apache Software Foundation, Linux Professional Institute, PIIT, Red Hat.

Register: openforumeurope.org/event/capita...

#Poland25EU

We’re excited to announce that our upcoming Capital Series Poland will be hosted under the auspices of the Polish presidency of the Council of the European Union on 11 June in Warsaw.

Register here to secure a spot and read more:

openforumeurope.org/event/capita...

#Poland25EU

Did you miss my talk at FOSDEM? Are you wondering what you should do when Log5Shell comes out? The video has been published: video.fosdem.org/2025/ub4132/...

The taximeter was not working either, right? I guess you just got scammed.

It is interesting to see that 49% of your responders is still experiencing security vulnerabilities from #log4j in 2024. I am really curious what does it mean. Since fixes for all known vulnerabilities are also available for Java 6 and 7, didn't they upgrade in 2021?

Sovereign Tech Fellowship Wortmarke

Jan Kowalleck, Sarah Hoffmann, @hugovk.dev, @mklu.bsky.social, Stefan Eissing und Denis Ovsienko sind der erste Jahrgang des Sovereign Tech Fellowship. Wir heißen die sechs Maintainer*innen willkommen, die am einjährigen Pilotprogramm 1/2

'I'm a bit lost now': Daisy the AI bot speaks to scammer – video O2 has introduced “AI granny” Daisy for a short period to show what could be done with artificial intelligence to counter the scourge of scammers

This is gold! An AI pretends to be an old confused lady and wastes scammers time.

www.theguardian.com/technology/v...

Outlier AI. You are doing it wrong.

Hiring people to post completely nonsenese or copy&pasted issues in reputable open-source repositories - and make maintainers train your AI on it ? not good.

There are 50 such issues in last few days in @airflow repo [1] and counting. More details in [2] […]

In Poland, nothing is more uncertain than the past!

I don't want to scare you, but you'll hit another shading-related snug, when you try to generate a CycloneDX SBOM for `jackson-core`. Currently there is no support for shading.

Compose key on LK201 keyboard

⸘They probably never saw such a key on their keyboard‽