Sent from my iPhone
> On Dec 21, 2021, at 3:33 AM, Enrico Olivelli <eolive...@gmail.com> wrote:
>
> Vladimir,
> I totally support this proposal.
>
> Which are actually the steps we need to cut a release of log4j 1.x ?
> - establish an Apache project ?
> - do the fix
> - cut a release
>
> Can this be done inside another Apache Project who "adopts" the log4j
> sources if the Logging Project doesn't want to do it ?
Perhaps Apache Commons where log4j started?
>
> Enrico
>
>
> Il giorno mar 21 dic 2021 alle ore 08:36 Vladimir Sitnikov <
> sitnikov.vladi...@gmail.com> ha scritto:
>
>>> Just wondering, is it even fulfilling the criteria of incubation?
>>
>> I believe, the world does not need "active development in log4j 1.x"
>> nowadays.
>> What everybody needs from log4j 1.x is to fix security issues, fix
>> outstanding issues (if any),
>> keep the project buildable (e.g. avoid using outdated build systems), etc.
>>
>>> it doesn't seem that sustainability is proven.
>>
>> The problem is log4j 1.x is like COBOL of logging. There are apps that are
>> just stuck with log4j 1.x.
>> The proof of sustainability is that lots of existing apps will never
>> upgrade to 2.x because 2.x is incompatible.
>> If the compatibility layer of 2.x would be improved to handle 99.999% of
>> apps,
>> then we could indeed move 1.x to the attic.
>>
>> The Incubator Cookbook says:
>>> The ASF provides software for the public good,
>>
>> As I described, log4j 2.x is not a direct replacement for log4j 1.x, and
>> there are **lots** of applications
>> that can't easily be upgraded to 2.x due to testing, configuration, and
>> implementation issues.
>>
>> The current Logging PMC is focused on log4j 2.x only, and they have no
>> desire to release 1.x
>>
>>> active development but focus only on CVE fixes
>>
>> I would say, the primary goal of resurrecting 1.x is to focus on CVEs, and
>> keep the project buildable and testable.
>> However, it might be the case, that certain fixes or features would appear.
>>
>> The sad story is that the industry is using 1.x A LOT, and what Logging PMC
>> did was
>> they ignored the community, and they just stopped maintaining 1.x and
>> focused on an incompatible 2.x
>>
>> Not only do they stop maintaining 1.x, but they also deny others to pick up
>> the maintenance task.
>>
>> What I am trying to do now is to pick up that maintenance activity.
>>
>> Vladimir
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
