On December 23, 2021 6:52 PM, Junio C Hamano wrote: > I wonder if we should do something like this, for limited time like a few > months or so, so that we have something prominently shown at places like > https://github.com/git/git/ > > Signed-off-by: Junio C Hamano <gitster@xxxxxxxxx> > --- > README.md | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git c/README.md w/README.md > index f6f43e78de..76e99fe5bb 100644 > --- c/README.md > +++ w/README.md > @@ -7,6 +7,9 @@ Git is a fast, scalable, distributed revision control system > with an unusually rich command set that provides both high-level operations > and full access to internals. > > +No part of Git is written in Java, hence it is not susceptible to the > +log4j vulnerability that has been causing sensation recently. > + > Git is an Open Source project covered by the GNU General Public License > version 2 (some parts of it are under different licenses, compatible with the > GPLv2). It was originally written by Linus This is a good idea. I have had to reassure a whole bunch of people in my community about this, not really because of git itself but because of the Maven build associated with EGit/JGit that may (do) have this issue if the wrong version of log4j is available. I would rather not discuss the particulars of the attack vector in this mailing list. --Randall
