Re: Looking for a champion: resurrect log4j 1.x

Justin, See https://lists.apache.org/thread/fz19gsjnlh84nxgxj0jyy2rzrol1dx9b and https://twitter.com/qos_ch/status/1479938932213223424 . However, it is worth noting that

Re: Looking for a champion: resurrect log4j 1.x

Hi, The incubation list for for conversations about new project proposals, releases and graduations and similar things. I think this thread has got off topic and you should probably carry on the conversation back on the logging project lists. Building a community around EOLed software, even if

Re: Looking for a champion: resurrect log4j 1.x

The JMSAppender is an optional module. I think you will get the distinction. It doesn’t break the world to remove it, unlike changing the class hierarchy of Appender or removing a method on an extension interface used by same, I think the distinction is clear. We might find agreement in the

Re: Looking for a champion: resurrect log4j 1.x

> On Jan 8, 2022, at 19:39, Andrew Purtell wrote: > >> Are you using the JMS appender? Are you using the socket receiver? If the > answer is no to those questions, you don’t have security concerns besides > the more glaring fact that you’re depending on end of life software that > has been

Re: Looking for a champion: resurrect log4j 1.x

In this current form this discussion belongs either on dev@logging or board@. Several people here are perfectly capable of forming a proposal, but are choosing to have an unproductive discussion. At this point a new podling would be a hostile fork and those are not accepted. Sent from my

Re: Looking for a champion: resurrect log4j 1.x

The discussion continues here because the Logging PMC is intransigent and non-responsive to the concerns already well established by parties on this thread. I don't see how this can be resolved without you "giving in". Perhaps that is the problem, but I don't want to be an armchair psychiatrist, I

Re: Looking for a champion: resurrect log4j 1.x

> Are you using the JMS appender? Are you using the socket receiver? If the answer is no to those questions, you don’t have security concerns besides the more glaring fact that you’re depending on end of life software that has been marked as such for going on 7 years now. I know you keep

Re: Looking for a champion: resurrect log4j 1.x

> On Jan 8, 2022, at 4:34 PM, Andrew Purtell wrote: > > The Logging PMC is the hostile party here as far as I can tell, operating > in defiance of the community of users that have made the points I have just > written here abundantly clear for years. The Logging PMC is the owner of Log4j

Re: Looking for a champion: resurrect log4j 1.x

Answers below: > On Jan 8, 2022, at 17:34, Andrew Purtell wrote: > > Log4J 1 has known concurrency issues but many projects live with them or > work around them. For example, several "Big Data" Apache projects have been > fine with it, themselves internally highly concurrent and performance >

Re: Looking for a champion: resurrect log4j 1.x

Log4J 1 has known concurrency issues but many projects live with them or work around them. For example, several "Big Data" Apache projects have been fine with it, themselves internally highly concurrent and performance sensitive. Log4J 1 might not be a Platonic ideal, but certainly good enough, as

Re: Looking for a champion: resurrect log4j 1.x

The problem with v1 is that it doesn’t “just work”. There are numerous dead locks and other concurrency problems that were unable to be fixed without breaking various points of compatibility which is why Logback and Log4j2 even exist rather than continuing v1. There would also be difficulty in

Re: Looking for a champion: resurrect log4j 1.x

Hi Matt, Thanks for replying. I think the main issues I found following the guide [1] for Apache CloudStack (ACS) are: - APIs are not backward compatible fully, certainly everywhere the imports have to be fixed - The config xml files are not fully compatible requiring some changes - Our

Re: Looking for a champion: resurrect log4j 1.x

It would be nice if you filed any issues with Log4j2 about problems with migration. It would have been nice to hear about these issues back when v1 stopped development, but this is the next best time to do so. The Log4j team are actively working to fill in any remaining gaps on backward

Re: Looking for a champion: resurrect log4j 1.x

Hi all, I agree and extend support for Andrew's remarks. Apache CloudStack too uses log4j 1.x and our use case is simply a logging library that 1.x just satisfies. The effort to migrate to 2.x is not quick, at least in our initial investigation and a migration may likely require huge effort

Re: Looking for a champion: resurrect log4j 1.x

Hello, I just came across this thread - same as Ralph, I currently don't mentor any podlings. However, I am still on the Logging PMC. On Thu, Dec 23, 2021, at 07:05, Vladimir Sitnikov wrote: > Ralph>I was busy > > The world is on fire with log4j, so if you have no time left for 1.x, then, >

Re: Looking for a champion: resurrect log4j 1.x

Ralph>I was busy The world is on fire with log4j, so if you have no time left for 1.x, then, please, just let others do the maintenance. Ralph>My recollection was me saying if I had the code in a git repo getting it into a GitHub repo would be easy. I do not want to dilute "svn -> git" question

Re: Looking for a champion: resurrect log4j 1.x

OK, thank you for the feedback. Will open issues and also discuss threads on the mailing list for these things. Ralph Goers 于2021年12月23日周四 08:10写道： > > > > On Dec 21, 2021, at 9:22 PM, 张铎(Duo Zhang) > wrote: > > > > But in my experience, first, the log4j12 bridge is not perfect. For > >

Re: Looking for a champion: resurrect log4j 1.x

> On Dec 22, 2021, at 12:35 AM, Vladimir Sitnikov > wrote: > > > I already asked Logging PMC to enable Git and GitHub for 1.x, and they > rejected it: > https://lists.apache.org/thread/ssbdg44gy7txzl16xxd097t7orco52g2 My recollection was me saying if I had the code in a git repo getting it

Re: Looking for a champion: resurrect log4j 1.x

> On Dec 21, 2021, at 10:24 PM, Vladimir Sitnikov > wrote: > > Matt>Nobody in the Logging PMC is blocking a release here. > > Matt, thanks for the reply, however, it is false :( > I see you are positive, however, many more replies were quite negative. > > Ralph Goers says: "We’ve stated

Re: Looking for a champion: resurrect log4j 1.x

> On Dec 21, 2021, at 9:22 PM, 张铎(Duo Zhang) wrote: > > But in my experience, first, the log4j12 bridge is not perfect. For > example, since hadoop is still on log4j 1.x, I need to add log4j12 bridge > dependency if I want to run UTs based on hadoop mini cluster, and then I > need to manually

Re: Looking for a champion: resurrect log4j 1.x

I’m sorry, I was just directed to this thread. I don’t read my incubator emails every day since I am not mentoring any podlings at the moment. There seems to be some disconnect with the facts. From my viewpoint they are: An email came in asking if it would be possible to put out a new 1.2.18

Re: Looking for a champion: resurrect log4j 1.x

The Commons approach isn’t likely to work. Besides sharing several PMC members, it already deprecated Commons Logging in favor of Log4j2 as a logging API. — Matt Sicker > On Dec 22, 2021, at 12:59, Dave Fisher wrote: > > Have the initial committers for this effort been identified? > >> On

Re: Looking for a champion: resurrect log4j 1.x

Have the initial committers for this effort been identified? > On Dec 22, 2021, at 10:28 AM, Vladimir Sitnikov > wrote: > > Matt>Attaching patches to Jira is exactly how v1 was developed back in the > day. V2 did it for some time as well before migrating to git > > Matt, let us please refrain

Re: Looking for a champion: resurrect log4j 1.x

Matt>Attaching patches to Jira is exactly how v1 was developed back in the day. V2 did it for some time as well before migrating to git Matt, let us please refrain from off-topic discussions here? (at the end of the day, this is "Looking for a champion" thread) If you have objections or comments

Re: Looking for a champion: resurrect log4j 1.x

Attaching patches to Jira is exactly how v1 was developed back in the day. V2 did it for some time as well before migrating to git. — Matt Sicker > On Dec 22, 2021, at 01:42, Vladimir Sitnikov > wrote: > > Romain, > > Romain>for now the thread is looking for options which are not needed

Re: Looking for a champion: resurrect log4j 1.x

I know Vladimir but let's do things in order, if we move in all ways it will fail. Incubating log4j1 will fail as I epxlained - not even sure incubator would let it be incubated since project is official dead for everybody and can only get security fixes (incubator is to ensure you can build a

Re: Looking for a champion: resurrect log4j 1.x

>I would propose to talk with logging PMC first I did exactly that, and they did not listen. They have no will to keep releasing 1.x versions. At the same time, they do not allow others to release log4j:log4j:1.x versions. I'm waiting for the response by Logging PMC chair Ron once again:

Re: Looking for a champion: resurrect log4j 1.x

Romain, Romain>for now the thread is looking for options which are not needed from my window It was the Logging PMC team who suggested I should re-incubate log4j 1.x. Romain>1. where is the patch needed to fix the desired CVE? - must be compatible with current SVN trunk The current SVN trunk

Re: Looking for a champion: resurrect log4j 1.x

Agree with Romain. Let’s just take concrete actions: I would propose to talk with logging PMC first (they can provide their preferences). It’s really amazing how we can create endless thread for simple/concrete topics ;) Regards JB > Le 22 déc. 2021 à 08:17, Romain Manni-Bucau a écrit : >

Re: Looking for a champion: resurrect log4j 1.x

ok, so let's try to not create an endless thread: 1. where is the patch needed to fix the desired CVE? - must be compatible with current svn trunk 2. please attach it to a ticket (or multiple if there are multiple fixes) like LOG4J2-3219 3. if it does not get applied and PMC is opposed to get it

Re: Looking for a champion: resurrect log4j 1.x

Matt>Nobody in the Logging PMC is blocking a release here. Matt, thanks for the reply, however, it is false :( I see you are positive, however, many more replies were quite negative. Ralph Goers says: "We’ve stated several times that we don’t think resurrecting Log4j 1.x permanently is a good

Re: Looking for a champion: resurrect log4j 1.x

Sent from my iPhone > On Dec 21, 2021, at 5:13 AM, Romain Manni-Bucau wrote: > > Le mar. 21 déc. 2021 à 12:33, Enrico Olivelli a > écrit : > >> Vladimir, >> I totally support this proposal. >> >> Which are actually the steps we need to cut a release of log4j 1.x ? >> - establish an

Re: Looking for a champion: resurrect log4j 1.x

Sent from my iPhone > On Dec 21, 2021, at 3:33 AM, Enrico Olivelli wrote: > > Vladimir, > I totally support this proposal. > > Which are actually the steps we need to cut a release of log4j 1.x ? > - establish an Apache project ? > - do the fix > - cut a release > > Can this be done

Re: Looking for a champion: resurrect log4j 1.x

Hi, Have you discussed the approach you outlined with the logging PMC? It seems to me the idea of a drop in jar that allows log4j 1 over log4j 2 is an ideal product for that PMC to support. All the best, Dave Sent from my iPhone > On Dec 21, 2021, at 8:22 PM, 张铎 wrote: > > I'm the one

Re: Looking for a champion: resurrect log4j 1.x

I'm the one who migrated HBase from log4j to log4j2, and still tries to migrate hadoop but still can not find a suitable upgrading path... For me, I do not prefer we release a new log4j 1.x, it has been EOL for many years, we should encourage people to upgrade to a newer logging framework. FWIW,

Re: Looking for a champion: resurrect log4j 1.x

> as for the v1 :: COBOL analogy, that’s not a bad comparison. Basically, users who haven’t bothered to upgrade in 10 years will have to end up paying astronomical costs for consultants who can still work on ancient software effectively to help modify their systems. I have to take some exception

Re: Looking for a champion: resurrect log4j 1.x

Nobody in the Logging PMC is blocking a release here. What we don’t want is to falsely advertise that v1 is still under development. We already have a huge increase in mailing list, PR, and other traffic ever since Log4Shell, and if we resurrect v1, then it’ll quickly become impossible to keep

Re: Looking for a champion: resurrect log4j 1.x

Le mar. 21 déc. 2021 à 12:33, Enrico Olivelli a écrit : > Vladimir, > I totally support this proposal. > > Which are actually the steps we need to cut a release of log4j 1.x ? > - establish an Apache project ? > 1. Send a patch to apply on http://svn.apache.org/repos/asf/logging/log4j/trunk >

Re: Looking for a champion: resurrect log4j 1.x

Vladimir, I totally support this proposal. Which are actually the steps we need to cut a release of log4j 1.x ? - establish an Apache project ? - do the fix - cut a release Can this be done inside another Apache Project who "adopts" the log4j sources if the Logging Project doesn't want to do it

Re: Looking for a champion: resurrect log4j 1.x

>Just wondering, is it even fulfilling the criteria of incubation? I believe, the world does not need "active development in log4j 1.x" nowadays. What everybody needs from log4j 1.x is to fix security issues, fix outstanding issues (if any), keep the project buildable (e.g. avoid using outdated

Re: Looking for a champion: resurrect log4j 1.x

objective. > ceki.blogspot.com > > Best Regards, > martin- > > > From: Jungtaek Lim > Sent: Monday, December 20, 2021 4:26 PM > To: general@incubator.apache.org > Subject: Re: Looking for a champion: resurrect log4j 1.x > > Just wonder

Re: Looking for a champion: resurrect log4j 1.x

in objective. ceki.blogspot.com Best Regards, martin- From: Jungtaek Lim Sent: Monday, December 20, 2021 4:26 PM To: general@incubator.apache.org Subject: Re: Looking for a champion: resurrect log4j 1.x Just wondering, is it even fulfilling the criteria of incubation? Have th

Re: Looking for a champion: resurrect log4j 1.x

Just wondering, is it even fulfilling the criteria of incubation? Have there been any similar cases before? It was stated that there will be no effort on active development but focus only on CVE fixes. This sounds to me as the project will start as only fixing a few known CVEs and stop till other

Re: Looking for a champion: resurrect log4j 1.x

On Mon, Dec 20, 2021 at 8:42 AM Romain Manni-Bucau wrote: > Guess there are 4 options: > > 1. resurrect log4j1 and let it die again > 2. do a log4j1 release for the CVE under logging umbrella (as a subproject) > - after all log4j1 belongs to logging as a subproject already ( >

Re: Looking for a champion: resurrect log4j 1.x

Guess there are 4 options: 1. resurrect log4j1 and let it die again 2. do a log4j1 release for the CVE under logging umbrella (as a subproject) - after all log4j1 belongs to logging as a subproject already ( https://logging.apache.org/dormant.html) 3. the log4j1-log4j2 bridge (but agree this is

Re: Looking for a champion: resurrect log4j 1.x

Hi Vladimir, I think based on what you're describing and the Logging PMC's response, re-incubating the project makes sense. I would be curious if the Logging PMC would be interested in restarting the sub-project after a successful incubation period. This seems to match what Ralph is suggesting

Re: Looking for a champion: resurrect log4j 1.x

>Do you have "facts" (like message on mailing list) ? I am not sure what you mean. For example: 1) Ralph Goers says the existing committers did not touch 1.x code a lot: https://lists.apache.org/thread/j6zrdp1d148qpkg0g7x3cc41o070oq6n Ralph>Virtually all of the contributors to the Log4j 1.x

Re: Looking for a champion: resurrect log4j 1.x

Hi Vladimir, Thanks for the update. Do you have "facts" (like message on mailing list) ? I think we can discuss with the log4j PMC members. Depending of their feedback, we will find a way. My preference is to have log4j1 on Apache Logging umbrella. Let's see what others think. Regards JB On

Re: Looking for a champion: resurrect log4j 1.x

JB>Anyone can propose new releases on any branches (including old ones). JB>If you need my support/help on this, please let me know. I and the other contributors tried to suggest PRs, however, log4j pmc actively denies them. They suggest contributors should focus on polishing log4j 1->2

Re: Looking for a champion: resurrect log4j 1.x

Hi I don’t think you need the incubator there. You can propose to log4j pmc to move forward on log4j 1.x. Anyone can propose new releases on any branches (including old ones). If you need my support/help on this, please let me know. Just my €0.01 ;) Regards JB > Le 20 déc. 2021 à 08:27,

Looking for a champion: resurrect log4j 1.x

Hi, I want to resurrect log4j 1.x to fix well-known security issues. I'm looking for the champion and committers. log4j 1.x is a wildly used logging library, so releasing a secured version would silence CVE warnings all over the world, and it would enable users to focus on more relevant tasks