You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Ahmed Hussein (Jira)" <ji...@apache.org> on 2021/03/30 13:00:00 UTC

[jira] [Comment Edited] (HADOOP-16206) Migrate from Log4j1 to Log4j2

    [ https://issues.apache.org/jira/browse/HADOOP-16206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17311504#comment-17311504 ] 

Ahmed Hussein edited comment on HADOOP-16206 at 3/30/21, 12:59 PM:
-------------------------------------------------------------------

Regarding the concerns that the downstream could use the network classes in log4j, those classes can be removed from the jar file without affecting Hadoop. Therefore, Security wise, the effort to migrate is not worthy.

If there is clear evidence of performance gains in log4j2, then this will be the real motivation to migrate. While I like the idea that the log4j bridge could reduce the work significantly, I believe that it would be better to fully move to log4j2. I think that the bridge may not last long given that it is not clear how its performance would compare to pure log4j2 implementation and how long support we get on the long run (i.e., future CVEs, using new JDKs..etc).



was (Author: ahussein):
Regarding the concerns that the downstream could use the network classes in log4j, those classes can be removed from the jar file without affecting Hadoop. Therefore, Security wise, the effort to migrate is not worthy.

If there is clear evidence of performance gains in log4j2, then this will be the real motivation to migrate. While I like the idea that the log4j bridge could reduce the work significantly, I believe that it would be better to fully move to log4j2. I just think that the bridge may not last long given that it is not clear how its performance would compare to pure log4j2 implementation and how long support we get on the long run (i.e., future CVEs, using new JDKs..etc).


> Migrate from Log4j1 to Log4j2
> -----------------------------
>
>                 Key: HADOOP-16206
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16206
>             Project: Hadoop Common
>          Issue Type: Sub-task
>    Affects Versions: 3.3.0
>            Reporter: Akira Ajisaka
>            Priority: Major
>         Attachments: HADOOP-16206-wip.001.patch
>
>
> This sub-task is to remove log4j1 dependency and add log4j2 dependency.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org