[GitHub] [logging-log4j1] larrywest edited a comment on pull request #17: Cleaned-up log4j 1.2 that disables scary networking (base=1.2.17, fully binary compatible)

[GitBox <gi...@apache.org>]

larrywest edited a comment on pull request #17:
URL: https://github.com/apache/logging-log4j1/pull/17#issuecomment-1003588369


   _My $0.000002:_
   
   Log4j 1.x reached end-of-life long ago - last updated a decade ago.
   
   > On August 5, 2015 the Logging Services Project Management Committee announced that Log4j 1.x had reached end of life
   
   From 2019 in re CVE-2019-17571:
   
   > ... This can provide an attack vector that can be expoited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2.
   
   * https://logging.apache.org/log4j/1.2/
   * https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces
   * https://blogs.apache.org/logging/entry/moving_on_to_log4j_2
   
   There's no rationale given here for bringing log4j 1.x back from the dead, and anyone who cares about security or project hygiene has long since moved on to log4j2 or logback.
   
   Assuming there are reasons, why not fork this and call it something else?
   
   ---
   
   _Update:_
   
   This applies to PR #18, too.   I'm only a user — once upon a time of log4j 1.x — not a contributor, but I'm puzzled why there's not a clear statement on either PR justifying reversing the above-cited decisions.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org