You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Robert Middleton (Jira)" <lo...@logging.apache.org> on 2021/12/11 15:28:00 UTC

[jira] [Commented] (LOGCXX-539) Allow distribustion log4j to be used for socketservertest

    [ https://issues.apache.org/jira/browse/LOGCXX-539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457636#comment-17457636 ] 

Robert Middleton commented on LOGCXX-539:
-----------------------------------------

PR merged.

Note that the current plan is to remove the need for this for the next major version by removing the capability for serialization of java objects, since that is known to be insecure.

> Allow distribustion log4j to be used for socketservertest
> ---------------------------------------------------------
>
>                 Key: LOGCXX-539
>                 URL: https://issues.apache.org/jira/browse/LOGCXX-539
>             Project: Log4cxx
>          Issue Type: Improvement
>          Components: Tests
>            Reporter: Tobias Frost
>            Priority: Minor
>             Fix For: 0.13.0
>
>         Attachments: 0003-Use-packaged-liblog4j-1.2.patch
>
>
> (This is a patch I need for the Debian packaging)
> In the CMakeLists.txt for the socket server tries to download log4j-1.2 from apache.
> Debian does not allow that resources be downloaded during build and has a policy that (if possible) packaged resources are to be used. In Debian log4j version 1.2 is packaged in the packge liblog4j1.2-java, so I need to use this one.
> The patch (will also be provided as PR) changes the logic that it will only download log4j if find_jar could not find it using default search paths.
> Additionally, I changed the md5 to a sha256 checksum, as md5s are insecure.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)