Good question, I guess that is part of what I hope to get out of
this thread.
I was originally thinking: make the wording stronger in the docs as well as
stopping CVE scans during release.
But then I wonder about the optics of us providing artifacts in maven for
things we are knowingly not scanni
I think this sounds reasonable, but to clarify what would the actual
change be here, just stronger wording in
https://druid.apache.org/docs/latest/configuration/extensions/#community-extensions
and not scanning for CVE? or something more, e.g. would we stop
publishing contrib jars to maven
(https:/
