First, is this really a blocker for 2.15.1? I think it is prudent to do urgent releases soon. This JNDI change (LOG4J2-3208 <https://issues.apache.org/jira/browse/LOG4J2-3208>) feels urgent enough to warrant another shortened vote window. A larger change like removing message lookups should not be rushed out like this, it needs review time.
Second, do we really want to do this? Are we not overreacting? Would it not be better to remove lookups in message parameters only? (In implementation terms, resolve all lookups *before* interpolating the message parameters?) Also, let me state the obvious, lookups *in configuration* are tremendously useful and should not be removed. This may be obvious to some of us, but I just want to make sure there is no confusion about that (because I personally was confused about this at some point). :-) Finally, if we decide to do this, should a change like this be in a point/bugfix release (2.15.1) or should it be a separate minor release like 2.16.0? On Mon, Dec 13, 2021 at 5:10 AM Remko Popma <remko.po...@gmail.com> wrote: > Shall we discuss this first please? > > On Mon, Dec 13, 2021 at 5:10 AM Matt Sicker <boa...@gmail.com> wrote: > >> If you can handle that change, I can roll a new release candidate. >> >> Matt Sicker >> >> > On Dec 12, 2021, at 14:07, Volkan Yazıcı <vol...@yazi.ci> wrote: >> > >> > I know. I want them to be removed, not disabled. >> > >> >> On Sun, Dec 12, 2021 at 9:01 PM Matt Sicker <boa...@gmail.com> wrote: >> >> >> >> Those were already disabled in 2.15.0. >> >> >> >> Matt Sicker >> >> >> >>>> On Dec 12, 2021, at 13:41, Volkan Yazıcı <vol...@yazi.ci> wrote: >> >>> >> >>> I very well recognize your heroic effort on tackling this issue and >> I am >> >>> very thankful for that. >> >>> I vote -1, because I want message (not configuration!) lookups to be >> >>> removed. >> >>> >> >>> Message lookups create a vast attack surface. Anything they offer can >> >>> simply be implemented by the user. >> >>> >> >>>> On Sun, Dec 12, 2021 at 4:48 AM Matt Sicker <boa...@gmail.com> >> wrote: >> >>>> >> >>>> This is a vote to release Log4j 2.15.1, the next version of the >> Log4j 2 >> >>>> project. >> >>>> >> >>>> Please download, test, and cast your votes on the log4j developers >> list. >> >>>> [] +1, release the artifacts >> >>>> [] -1, don't release because... >> >>>> >> >>>> The vote will remain open for 72 hours (or more if required). All >> votes >> >>>> are welcome and we encourage everyone to test the release, but only >> >> Logging >> >>>> PMC votes are “officially” counted. As always, at least 3 +1 votes >> and >> >> more >> >>>> positive than negative votes are required. >> >>>> >> >>>> Changes in this release include: >> >>>> >> >>>> Fixed Bugs >> >>>> >> >>>> * LOG4J2-3208: Disable JNDI by default. Require log4j2.enableJndi to >> be >> >>>> set to true to allow JNDI. >> >>>> >> >>>> Tag: >> >>>> a) for a new copy do "git clone >> >>>> https://github.com/apache/logging-log4j2.git < >> >>>> https://github.com/apache/logging-log4j2.git>" and then "git >> checkout >> >>>> tags/log4j-2.15.1-rc1” or just "git clone -b log4j-2.15.1-rc1 >> >>>> https://github.com/apache/logging-log4j2.git < >> >>>> https://github.com/apache/logging-log4j2.git>" >> >>>> b) for an existing working copy to “git pull” and then “git checkout >> >>>> tags/log4j-2.15.1-rc1” >> >>>> >> >>>> Web Site: https://logging.staged.apache.org/log4j/2.x/index.html < >> >>>> https://logging.staged.apache.org/log4j/2.x/index.html>. >> >>>> >> >>>> Maven Artifacts: >> >>>> >> >> >> https://repository.apache.org/content/repositories/orgapachelogging-1067/ >> >>>> >> >>>> Distribution archives: >> >>>> https://dist.apache.org/repos/dist/dev/logging/log4j/ < >> >>>> https://dist.apache.org/repos/dist/dev/logging/log4j/> >> >>>> >> >>>> You may download all the Maven artifacts by executing: >> >>>> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate >> >>>> >> >> >> https://repository.apache.org/content/repositories/orgapachelogging-1067/org/apache/logging/log4j/ >> >> >> >
