This log4j/jndi shitstorm is entertaining to no end. At work we got a mass BCC email urging us to update the default jdk due to nebulous "licensing issues". Right, that seems totally legit. No CYA at all.
2 years ago
I'd argue this exposes the bad idea in the "package store"-model of dependency management in general, something that is so convenient it's been creeping into a lot of languages. It inevitably does produce horrendously bloated and insecure software. Give me a good standard library any day. log4j doesn't need to do half the things it can do. ยท 2 years ago