You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by Davanum Srinivas <da...@gmail.com> on 2005/04/04 00:38:24 UTC
yank log4j jar from dist?
Since we don't really need it? Should we yank it from dist?
see http://blogs.msdn.com/dotnetinterop/archive/2005/03/31/404087.aspx
thanks,
dims
--
Davanum Srinivas - http://webservices.apache.org/~dims/
Re: yank log4j jar from dist?
Posted by Steve Loughran <st...@apache.org>.
Davanum Srinivas wrote:
> Since we don't really need it? Should we yank it from dist?
> see http://blogs.msdn.com/dotnetinterop/archive/2005/03/31/404087.aspx
>
> thanks,
> dims
>
He had the complete set of problems, with endorsed directories, etc,
etc. At least happyaxis.jsp identified the existence of trouble. Maybe
we should extend it with log4j enhancements.
I do agree there is a problem with JAR files and it is more fundamental
than just what we include here. Expect lots of coverage of this in the
second edition of Java Development with Ant :)
-Java1.4's endorsed directories was a mistake. Java1.5 rolls things back
a bit, by renaming the apache packages.
-signing doesnt cut it. Once you sign jars the classloader starts to act
different; you cant add new code into the same packages 'cept when they
are signed too. Which is painful in OSS stuff.
-The maven repository stuff is more interesting. If you have a central
cache of files stored as /project/artifact-version.jar, then you can
declarative switch versions. This is essentially .NET's GAC, without the
strong names. You could use it with maven, ant, or something a bit like
ant that only launches programs; an XML app launcher (tomcat uses ant
for this, but I am doing the repository stuff in smartfrog for a managed
launcher)
I've argued a bit on the apache repository mail list (centre of
discourse about repository stuff on apache) for using strong names in
versions. So instead of log4j-1.2.jar, you'd also have, via the wonder
of symlinks
log4j-4f32acb4def.jar
the advantage of this approach is (a) no confusion about versions, (b)
explicit security in your downloads, when you go
<library project="log4j" version="4f32acb4def" /> then the downloader
can verify the checksum after download, as it has the checksum already.
------
returning to log4j, its less essential in java1.5 as it used to be. and
pulling it stops the ant tasks telling you off for not having a
non-default log4j config (that message really irritates me, I dont see
why I should be told off by log4j there). So pulling it would be
tractable. This person's problems go much deeper than log4j; they go
into WAR vs EAR vs JBoss classloader policies.
-steve