You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Ralph Goers (Jira)" <ji...@apache.org> on 2022/05/30 21:52:00 UTC
[jira] [Updated] (LOG4J2-3511) Make Log4j use its own BOM
[ https://issues.apache.org/jira/browse/LOG4J2-3511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ralph Goers updated LOG4J2-3511:
--------------------------------
Fix Version/s: 3.0.0
(was: 2.18.0)
> Make Log4j use its own BOM
> --------------------------
>
> Key: LOG4J2-3511
> URL: https://issues.apache.org/jira/browse/LOG4J2-3511
> Project: Log4j 2
> Issue Type: Improvement
> Reporter: Volkan Yazici
> Priority: Major
> Fix For: 3.0.0
>
>
> Even though we provide a BOM module (`log4j-bom`), we don't consume it ourselves. Hence occasionally we end up publishing artifacts not included in the BOM. Consuming our own BOM decreases the chances of missing out artifacts in BOM, though doesn't totally eliminate the chances of that happening.
> When I read [how Maven advises to structure the BOM module|https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#bill-of-materials-bom-poms], I understand what needs to be in the case of Log4j is the following:
> /pom.xml (`log4j-bom` module)
> /log4j-parent/pom.xml (`log4j` module importing `log4j-bom`)
> /log4j-parent/log4j-core/pom.xml (`log4j-core` module parented by `log4j`)
> Though what we have in reality is the following:
> /log4j-bom/pom.xml (`log4j-bom` module)
> /pom.xml (`log4j` module parented by `logging-parent`)
> /log4j-core/pom.xml (`log4j-core` module parented by `log4j`)
> Ideally we should follow the Maven-advised approach and consume from our BOM parented by `logging-parent`.
> See [the related mailing list discussion|https://lists.apache.org/thread/fcdq8gqdc7ccstbjj65hhx22xcwqm6nk].
--
This message was sent by Atlassian Jira
(v8.20.7#820007)