You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by GitBox <gi...@apache.org> on 2023/01/11 04:14:17 UTC

[GitHub] [logging-log4j2] jvz opened a new pull request, #1199: LOG4J2-3228 - Remove support for java.io.Serializable

jvz opened a new pull request, #1199:
URL: https://github.com/apache/logging-log4j2/pull/1199

   This removes Serializable from various APIs including Message, Layout, LogEvent, Logger, and ReadOnlyStringMap. Java serialization is a security hazard. Messages and LogEvents already have numerous alternatives for generic serialization which should be used instead.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [logging-log4j2] jvz commented on a diff in pull request #1199: LOG4J2-3228 - Remove support for java.io.Serializable

Posted by GitBox <gi...@apache.org>.

jvz commented on code in PR #1199:
URL: https://github.com/apache/logging-log4j2/pull/1199#discussion_r1070432082


##########
log4j-api/src/main/java/org/apache/logging/log4j/message/ObjectMessage.java:
##########
@@ -115,28 +108,14 @@ private boolean equalObjectsOrStrings(final Object left, final Object right) {
 
     @Override
     public int hashCode() {
-        return obj != null ? obj.hashCode() : 0;
+        return obj.hashCode();

Review Comment:
   ```
       public ObjectMessage(final Object obj) {
           this.obj = obj == null ? "null" : obj;
       }
   ```
   
   Doesn't matter if they do.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [logging-log4j2] jvz commented on pull request #1199: LOG4J2-3228 - Remove support for java.io.Serializable

Posted by GitBox <gi...@apache.org>.

jvz commented on PR #1199:
URL: https://github.com/apache/logging-log4j2/pull/1199#issuecomment-1382940271

   I'm currently running the tests to make sure the revert of `log4j-1.2-api` code is ok with the rest of this PR before I push that up. Then I can merge from there after a PR run.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [logging-log4j2] jvz commented on pull request #1199: LOG4J2-3228 - Remove support for java.io.Serializable

Posted by GitBox <gi...@apache.org>.

jvz commented on PR #1199:
URL: https://github.com/apache/logging-log4j2/pull/1199#issuecomment-1381313773

   Alright, @garydgregory, I've removed the unnecessary generic parameter. However, this raises a cleanup issue: we now have `AbstractLayout` and `AbstractStringLayout` which logically should be merged, but this isn't really that easy to do without making weird classes like `AbstractStringLayout.Serializer2` or breaking backward compatibility. Given the existing tests we have for `EcsLayout`, there's clearly some desire for binary compatibility with basic Log4j2 plugins, and the abstract layout classes are seemingly one of those. What do you think? Should I try to pull up whatever members we can that maintain binary compatibility, or should I just leave it as is?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [logging-log4j2] jvz merged pull request #1199: LOG4J2-3228 - Remove support for java.io.Serializable

Posted by GitBox <gi...@apache.org>.

jvz merged PR #1199:
URL: https://github.com/apache/logging-log4j2/pull/1199


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [logging-log4j2] ppkarwasz commented on a diff in pull request #1199: LOG4J2-3228 - Remove support for java.io.Serializable

Posted by GitBox <gi...@apache.org>.

ppkarwasz commented on code in PR #1199:
URL: https://github.com/apache/logging-log4j2/pull/1199#discussion_r1070423491


##########
log4j-1.2-api/src/main/java/org/apache/log4j/spi/LocationInfo.java:
##########
@@ -16,24 +16,21 @@
  */
 package org.apache.log4j.spi;
 
-import java.io.Serializable;
 import java.util.Objects;
 
 /**
  * The internal representation of caller location information.
  *
  * @since 0.8.3
  */
-public class LocationInfo implements Serializable {

Review Comment:
   I am not sure we ca remove these, since we need to maintain compatibility with Log4j 1.2.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [logging-log4j2] ppkarwasz commented on a diff in pull request #1199: LOG4J2-3228 - Remove support for java.io.Serializable

Posted by GitBox <gi...@apache.org>.

ppkarwasz commented on code in PR #1199:
URL: https://github.com/apache/logging-log4j2/pull/1199#discussion_r1070427872


##########
log4j-api/src/main/java/org/apache/logging/log4j/message/ObjectMessage.java:
##########
@@ -115,28 +108,14 @@ private boolean equalObjectsOrStrings(final Object left, final Object right) {
 
     @Override
     public int hashCode() {
-        return obj != null ? obj.hashCode() : 0;
+        return obj.hashCode();

Review Comment:
   Are we certain nobody calls `new ObjectMessage(null)`?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org