The discussion continues here because the Logging PMC is intransigent and non-responsive to the concerns already well established by parties on this thread. I don't see how this can be resolved without you "giving in". Perhaps that is the problem, but I don't want to be an armchair psychiatrist, I just want a logging library without known security bugs that remains compatible with existing code and configuration formats and does not force me to transitively upgrade/rebuild/modify the world.
On Sat, Jan 8, 2022 at 5:00 PM Ralph Goers <ralph.go...@dslextreme.com> wrote: > > > > On Jan 8, 2022, at 4:34 PM, Andrew Purtell <apurt...@apache.org> wrote: > > > > The Logging PMC is the hostile party here as far as I can tell, operating > > in defiance of the community of users that have made the points I have > just > > written here abundantly clear for years. > > The Logging PMC is the owner of Log4j 1.x. We declared it EOL in 2015. Not > one single complaint was received nor were any proposals made to the PMC > until over 6 years later. This is not the sign of a hostile PMC but one > that has > moved on from unmaintainable software. Heck, even Ceki abandoned it years > before its last release to concentrate on its replacement. > > The PMC held a discussion on the dev mailing list. Out of non-PMC members > there were very few responses. One person was in favor of reviving the > project > even to the point of fixing bugs and continuing development beyond just > fixing > CVEs. Leo Simmons did offer to help. Here is what he said during the > discussion: > > I think I made clear what I am interested in through several emails > and in code. > I've also pointed out what I wouldn't do (like step up as a maintainer > on a. > permanent basis, or incubate something). > > I think all the relevant arguments on how to proceed with 1.x have been > made (a few times…). > I don't have anything new to add. > I'll accept the vote outcome. > > So we had two people expressing interest, one with no hope of ever being > offered > commit rights due to his behavior on our lists and in reviewing the other > projects > he participates on. > > So we were left with the choice of us allowing Leo to do that work and us > having > to spend time reviewing the PRs and applying them. Frankly, none of us > were > interested enough in this to spend that kind of time, especially since we > know at > least two usable drop-in replacements for Log4j 1.2 that fix the CVEs > already exist. > > I seriously think the outcome would have been different had Ceki offered > to help > while the discussion was going on. Instead, he decided to offer to help > after the > PMC posted its announcement of the vote results and the reasons why we > voted > that way. > > Since the Logging Services PMC is responsible for Log4j1 I fail to see why > a > discussion is even continuing on this list. The Logging Services PMC has > made > clear that it is not going to sponsor a podling for this and the PMC still > retains > ownership of the code. > > Ralph > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > > -- Best regards, Andrew Words like orphans lost among the crosstalk, meaning torn from truth's decrepit hands - A23, Crosstalk
