You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@logging.apache.org by "Piotr P. Karwasz" <pi...@gmail.com> on 2022/10/06 14:44:23 UTC

Re: Sync `master` and `release-2.x` test structure

On Mon, 12 Sept 2022 at 09:11, Piotr P. Karwasz <pi...@gmail.com> wrote:
> It would be also nice to synchronise the `pom.xml` of `release-2.x`
> and `master`. Since the main `pom.xml` has about a hundred
> dependencies, what do you think about normalizing them by:
>
>  * using BOMs if available (e.g. Jackson),
>  * removing the scope from `<dependencyManagement>`: this way there
> will be no difference between BOMs and explicit dependencies. It's
> more verbose, but we won't risk having JUnit in the compile scope.
>  * removing exclusions from `<dependencyManagement>`: AFAIK they are
> ignored by Maven. Or we can keep the exclusions as a template for the
> projects.
>  * adding a property in the main pom.xml for *each* dependency used
> (e.g. even `slf4j-api:2.0.0` used in a single module). A convention on
> how to name these properties would be nice too...
>  * sorting dependencies by scope (provided > compile > runtime >
> test), artifactId and groupId.

I finished moving things around. All the dependencies of the published
artifacts are in the `log4j` POM and versions are specified through
properties, so that they can be overridden in single modules. Of
course `log4j-bom` and `log4j-distribution` need to deal with their
dependencies independently (unless we add artifacts with `sources` and
`javadoc` classifiers to `log4j-bom`).

Two XSLT's in `src/tools` allow to sort the POMs and list all the
plugin and dependency versions that are explicitly provided. Excluding
the aforementioned `log4j`, `log4j-bom` and `log4j-distribution`,
these are the results of running `src/tools/explicit-version.xslt` on
all POMs (the comments are mine):

Artifact:log4j-cassandra
Version related properties:
    guava.version = 25.1-jre // still vulnerable to CVE-2020-8908, but
Cassandra does not work with newer versions

Artifact:log4j-jpl
Version related properties:
    surefire.version = 2.13 // to use 3.x we need to run Maven on JDK 9+

Artifact:log4j-jul
Dependencies for plugin maven-surefire-plugin:
    org.apache.maven.surefire:surefire-junit47:${surefire.version} //
`surefire-platform` initializes JUL before our tests can do it

Artifact:log4j-mongodb3
Version related properties:
    mongodb.version = 3.12.11 // override of the default 4.5

Artifact:log4j-osgi
Project dependencies:
    org.apache.logging.log4j.samples:log4j-samples-configuration:${project.version}

Artifact:log4j-perf
Dependencies for plugin maven-shade-plugin:
    com.github.edwgiz:maven-shade-plugin.log4j2-cachefile-transformer:${log4j2-cachefile-transformer.version}

Artifact:log4j-samples
Version related properties:
    maven-jetty-plugin.version = 6.1.26
    spring-ws.version = 3.1.3
Dependency management:
    org.apache.logging.log4j.samples:log4j-samples-flume-common:${project.version}
    org.springframework.ws:spring-ws-core:${spring-ws.version}
Plugin management:
    org.mortbay.jetty:maven-jetty-plugin:${maven-jetty-plugin.version}

Artifact:log4j-slf4j-impl
Version related properties:
    slf4j.version = 1.7.25 // 1.7.26 has breaking changes

Artifact:log4j-spring-cloud-config-samples
Version related properties:
    spring-ws.version = 3.1.3
Dependency management:
    org.springframework.ws:spring-ws-core:${spring-ws.version}
Plugin management:
    org.springframework.boot:spring-boot-maven-plugin:${spring-boot.version}

Artifact:log4j-spring-cloud-config
Version related properties:
    spring-cloud.version = 2021.0.4
Dependency management:
    org.apache.logging.log4j:log4j-bom:${project.version}:pom
    org.springframework.boot:spring-boot-dependencies:${spring-boot.version}:pom
    org.springframework.cloud:spring-cloud-dependencies:${spring-cloud.version}:pom

Artifact:log4j-slf4j2-impl
Version related properties:
    slf4j.version = 2.0.0

Piotr

Re: Sync `master` and `release-2.x` test structure

Posted by Matt Sicker <bo...@gmail.com>.

Thanks for handling this!
—
Matt Sicker

> On Oct 6, 2022, at 09:44, Piotr P. Karwasz <pi...@gmail.com> wrote:
> 
> On Mon, 12 Sept 2022 at 09:11, Piotr P. Karwasz <pi...@gmail.com> wrote:
>> It would be also nice to synchronise the `pom.xml` of `release-2.x`
>> and `master`. Since the main `pom.xml` has about a hundred
>> dependencies, what do you think about normalizing them by:
>> 
>> * using BOMs if available (e.g. Jackson),
>> * removing the scope from `<dependencyManagement>`: this way there
>> will be no difference between BOMs and explicit dependencies. It's
>> more verbose, but we won't risk having JUnit in the compile scope.
>> * removing exclusions from `<dependencyManagement>`: AFAIK they are
>> ignored by Maven. Or we can keep the exclusions as a template for the
>> projects.
>> * adding a property in the main pom.xml for *each* dependency used
>> (e.g. even `slf4j-api:2.0.0` used in a single module). A convention on
>> how to name these properties would be nice too...
>> * sorting dependencies by scope (provided > compile > runtime >
>> test), artifactId and groupId.
> 
> I finished moving things around. All the dependencies of the published
> artifacts are in the `log4j` POM and versions are specified through
> properties, so that they can be overridden in single modules. Of
> course `log4j-bom` and `log4j-distribution` need to deal with their
> dependencies independently (unless we add artifacts with `sources` and
> `javadoc` classifiers to `log4j-bom`).
> 
> Two XSLT's in `src/tools` allow to sort the POMs and list all the
> plugin and dependency versions that are explicitly provided. Excluding
> the aforementioned `log4j`, `log4j-bom` and `log4j-distribution`,
> these are the results of running `src/tools/explicit-version.xslt` on
> all POMs (the comments are mine):
> 
> Artifact:log4j-cassandra
> Version related properties:
>    guava.version = 25.1-jre // still vulnerable to CVE-2020-8908, but
> Cassandra does not work with newer versions
> 
> Artifact:log4j-jpl
> Version related properties:
>    surefire.version = 2.13 // to use 3.x we need to run Maven on JDK 9+
> 
> Artifact:log4j-jul
> Dependencies for plugin maven-surefire-plugin:
>    org.apache.maven.surefire:surefire-junit47:${surefire.version} //
> `surefire-platform` initializes JUL before our tests can do it
> 
> Artifact:log4j-mongodb3
> Version related properties:
>    mongodb.version = 3.12.11 // override of the default 4.5
> 
> Artifact:log4j-osgi
> Project dependencies:
>    org.apache.logging.log4j.samples:log4j-samples-configuration:${project.version}
> 
> Artifact:log4j-perf
> Dependencies for plugin maven-shade-plugin:
>    com.github.edwgiz:maven-shade-plugin.log4j2-cachefile-transformer:${log4j2-cachefile-transformer.version}
> 
> Artifact:log4j-samples
> Version related properties:
>    maven-jetty-plugin.version = 6.1.26
>    spring-ws.version = 3.1.3
> Dependency management:
>    org.apache.logging.log4j.samples:log4j-samples-flume-common:${project.version}
>    org.springframework.ws:spring-ws-core:${spring-ws.version}
> Plugin management:
>    org.mortbay.jetty:maven-jetty-plugin:${maven-jetty-plugin.version}
> 
> Artifact:log4j-slf4j-impl
> Version related properties:
>    slf4j.version = 1.7.25 // 1.7.26 has breaking changes
> 
> Artifact:log4j-spring-cloud-config-samples
> Version related properties:
>    spring-ws.version = 3.1.3
> Dependency management:
>    org.springframework.ws:spring-ws-core:${spring-ws.version}
> Plugin management:
>    org.springframework.boot:spring-boot-maven-plugin:${spring-boot.version}
> 
> Artifact:log4j-spring-cloud-config
> Version related properties:
>    spring-cloud.version = 2021.0.4
> Dependency management:
>    org.apache.logging.log4j:log4j-bom:${project.version}:pom
>    org.springframework.boot:spring-boot-dependencies:${spring-boot.version}:pom
>    org.springframework.cloud:spring-cloud-dependencies:${spring-cloud.version}:pom
> 
> Artifact:log4j-slf4j2-impl
> Version related properties:
>    slf4j.version = 2.0.0
> 
> Piotr