Re: [VOTE] Future of Log4j 1.x

[Ralph Goers <ra...@dslextreme.com>]

+1 to Option 1

Ralph

> On Dec 29, 2021, at 12:33 PM, Christian Grobmeier <gr...@apache.org> wrote:
> 
> Hello, 
> 
> as discussed in another thread, this is a vote about the future of log4j 1. This vote stays open for the usual 72h.
> Options are explained below.
> 
> You can vote for:
> 
> [ ] +1, Option 1
> [ ] +1, Option 2
> [ ] +/- 0, abstain
> [ ] -1 object against those options
> 
> Option 1: Create a README.md that publishes the projects EOL status and do nothing else.
> Option 2: Create a README which says the project is EOL but allow the following work for 1.2.18 AND create a full release:
>    a.  Make the build work with a modern version of Maven.
>    b.  Fix the Java version bug.
>    c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
>    d.  Fix CVE-2019-17571
> 
> Regards,
> Christian
> --
> The Apache Software Foundation
> V.P., Data Privacy
> 

Re: [VOTE] Future of Log4j 1.x

[Matt Sicker <bo...@gmail.com>]

I’m +1 for option one. For projects that ignored published CVEs for multiple years and then ignored the EOL announcement, I don’t see any reason they’d bother updating their ancient copies. Given the release difficulty in making something that’s compatible with previous releases makes this even more of a waste of time.

—
Matt Sicker

> On Jan 1, 2022, at 11:20, Jochen Wiedmann <jo...@gmail.com> wrote:
> 
> On Sat, Jan 1, 2022 at 4:40 PM Xeno Amess <xe...@gmail.com> wrote:
> 
>>> People should migrate to log4j2.
>> good thinking, but what if they migrate to logback...
> 
> No, it's not (good thinking, that is).
> 
> Log4j1 is a part of basically *every* Java based server software, that
> I am aware of. People don't want to touch those. They need a drop-in
> replacement, not a successor. Over the last week, I was *really
> puzzled* about all the stuff that claims to be affected by the
> problems in log4j2. And that's the lesser used of the two...
> 
> Jochen
> 
> 
> 
> Philosophy is useless, theology is worse. (Industrial Desease, Dire Straits)

Re: [VOTE] Future of Log4j 1.x

[Christian Grobmeier <gr...@apache.org>]

On Sat, Jan 1, 2022, at 18:19, Jochen Wiedmann wrote:
> On Sat, Jan 1, 2022 at 4:40 PM Xeno Amess <xe...@gmail.com> wrote:
>
>> >  People should migrate to log4j2.
>> good thinking, but what if they migrate to logback...
>
> No, it's not (good thinking, that is).
>
> Log4j1 is a part of basically *every* Java based server software, that
> I am aware of. People don't want to touch those. They need a drop-in
> replacement, not a successor. Over the last week, I was *really
> puzzled* about all the stuff that claims to be affected by the
> problems in log4j2. And that's the lesser used of the two...

For what exactly do we need that now? The security issues in log4j1 are 10 years old and you just don't have to use JMSAppender and you are good too go.

Cheers,
Christian

> Jochen
>
>
>
> Philosophy is useless, theology is worse. (Industrial Desease, Dire Straits)

Re: [VOTE] Future of Log4j 1.x

[Jochen Wiedmann <jo...@gmail.com>]

On Sat, Jan 1, 2022 at 4:40 PM Xeno Amess <xe...@gmail.com> wrote:

> >  People should migrate to log4j2.
> good thinking, but what if they migrate to logback...

No, it's not (good thinking, that is).

Log4j1 is a part of basically *every* Java based server software, that
I am aware of. People don't want to touch those. They need a drop-in
replacement, not a successor. Over the last week, I was *really
puzzled* about all the stuff that claims to be affected by the
problems in log4j2. And that's the lesser used of the two...

Jochen



Philosophy is useless, theology is worse. (Industrial Desease, Dire Straits)

[DISCUSS][VOTE] Future of Log4j 1.x

[Ralph Goers <ra...@dslextreme.com>]

Discussion shouldn’t happen on the main vote thread please.

Users are certainly free to use Logback. If they are OK with losing log events 
during reconfiguration and using a framework that is maintained by one person 
and are OK when he disappears for a year and a half that is their choice. Please 
remember, this is not a commercial venture. No Java logging framework is. 

Switching to Logback also requires work. It doesn’t natively support Log4j 1 
configuration files. Log4j 2 does support Log4j 1 configuration using the Log4j 
1.2 bridge, which we are constantly improving.

But the bottom line is that I would prefer that users migrate to Logback over 
sticking with Log4j 1. Although it has many of Log4j 1’s flaws it does not suffer 
from the multi-threading issues that Log4j 1 has. Of course, I think Log4j 2 is a 
better choice, but I am obviously biased.

Happy New Year!

Ralph



> On Jan 1, 2022, at 8:40 AM, Xeno Amess <xe...@gmail.com> wrote:
> 
> +0
> 
>> People should migrate to log4j2.
> good thinking, but what if they migrate to logback...
> IMO logback is a thing more likely log4j1 than log4j2, just user side.
> 
> 
> Ralph Goers <ra...@dslextreme.com> 于2022年1月1日周六 23:18写道：
> 
>> +1 to Option 1
>> 
>> Ralph
>> 
>>> On Dec 29, 2021, at 12:33 PM, Christian Grobmeier <gr...@apache.org>
>> wrote:
>>> 
>>> Hello,
>>> 
>>> as discussed in another thread, this is a vote about the future of log4j
>> 1. This vote stays open for the usual 72h.
>>> Options are explained below.
>>> 
>>> You can vote for:
>>> 
>>> [ ] +1, Option 1
>>> [ ] +1, Option 2
>>> [ ] +/- 0, abstain
>>> [ ] -1 object against those options
>>> 
>>> Option 1: Create a README.md that publishes the projects EOL status and
>> do nothing else.
>>> Option 2: Create a README which says the project is EOL but allow the
>> following work for 1.2.18 AND create a full release:
>>>   a.  Make the build work with a modern version of Maven.
>>>   b.  Fix the Java version bug.
>>>   c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
>>>   d.  Fix CVE-2019-17571
>>> 
>>> Regards,
>>> Christian
>>> --
>>> The Apache Software Foundation
>>> V.P., Data Privacy
>>> 
>> 
>> 

Re: [VOTE] Future of Log4j 1.x

[Xeno Amess <xe...@gmail.com>]

+0

>  People should migrate to log4j2.
good thinking, but what if they migrate to logback...
IMO logback is a thing more likely log4j1 than log4j2, just user side.


Ralph Goers <ra...@dslextreme.com> 于2022年1月1日周六 23:18写道：

> +1 to Option 1
>
> Ralph
>
> > On Dec 29, 2021, at 12:33 PM, Christian Grobmeier <gr...@apache.org>
> wrote:
> >
> > Hello,
> >
> > as discussed in another thread, this is a vote about the future of log4j
> 1. This vote stays open for the usual 72h.
> > Options are explained below.
> >
> > You can vote for:
> >
> > [ ] +1, Option 1
> > [ ] +1, Option 2
> > [ ] +/- 0, abstain
> > [ ] -1 object against those options
> >
> > Option 1: Create a README.md that publishes the projects EOL status and
> do nothing else.
> > Option 2: Create a README which says the project is EOL but allow the
> following work for 1.2.18 AND create a full release:
> >    a.  Make the build work with a modern version of Maven.
> >    b.  Fix the Java version bug.
> >    c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
> >    d.  Fix CVE-2019-17571
> >
> > Regards,
> > Christian
> > --
> > The Apache Software Foundation
> > V.P., Data Privacy
> >
>
>