On Mon, Dec 13, 2021 at 5:47 AM Remko Popma <remko.po...@gmail.com> wrote:
> First, is this really a blocker for 2.15.1? > I think it is prudent to do urgent releases soon. > This JNDI change (LOG4J2-3208 > <https://issues.apache.org/jira/browse/LOG4J2-3208>) feels urgent enough > to warrant another shortened vote window. > A larger change like removing message lookups should not be rushed out > like this, it needs review time. > > Second, do we really want to do this? Are we not overreacting? > Would it not be better to remove lookups in message parameters only? > (In implementation terms, resolve all lookups *before* interpolating the > message parameters?) > > Also, let me state the obvious, lookups *in configuration* are > tremendously useful and should not be removed. > This may be obvious to some of us, but I just want to make sure there is > no confusion about that (because I personally was confused about this at > some point). :-) > > Finally, if we decide to do this, should a change like this be in a > point/bugfix release (2.15.x) or should it be a separate minor release like > 2.16.0? > Personally, my preference would be to go ahead with the 2.15.1 release as it stands (containing only LOG4J2-3208 <https://issues.apache.org/jira/browse/LOG4J2-3208>). Further improvements can be done incrementally in future releases. > > > On Mon, Dec 13, 2021 at 5:10 AM Remko Popma <remko.po...@gmail.com> wrote: > >> Shall we discuss this first please? >> >> On Mon, Dec 13, 2021 at 5:10 AM Matt Sicker <boa...@gmail.com> wrote: >> >>> If you can handle that change, I can roll a new release candidate. >>> >>> Matt Sicker >>> >>> > On Dec 12, 2021, at 14:07, Volkan Yazıcı <vol...@yazi.ci> wrote: >>> > >>> > I know. I want them to be removed, not disabled. >>> > >>> >> On Sun, Dec 12, 2021 at 9:01 PM Matt Sicker <boa...@gmail.com> wrote: >>> >> >>> >> Those were already disabled in 2.15.0. >>> >> >>> >> Matt Sicker >>> >> >>> >>>> On Dec 12, 2021, at 13:41, Volkan Yazıcı <vol...@yazi.ci> wrote: >>> >>> >>> >>> I very well recognize your heroic effort on tackling this issue and >>> I am >>> >>> very thankful for that. >>> >>> I vote -1, because I want message (not configuration!) lookups to be >>> >>> removed. >>> >>> >>> >>> Message lookups create a vast attack surface. Anything they offer can >>> >>> simply be implemented by the user. >>> >>> >>> >>>> On Sun, Dec 12, 2021 at 4:48 AM Matt Sicker <boa...@gmail.com> >>> wrote: >>> >>>> >>> >>>> This is a vote to release Log4j 2.15.1, the next version of the >>> Log4j 2 >>> >>>> project. >>> >>>> >>> >>>> Please download, test, and cast your votes on the log4j developers >>> list. >>> >>>> [] +1, release the artifacts >>> >>>> [] -1, don't release because... >>> >>>> >>> >>>> The vote will remain open for 72 hours (or more if required). All >>> votes >>> >>>> are welcome and we encourage everyone to test the release, but only >>> >> Logging >>> >>>> PMC votes are “officially” counted. As always, at least 3 +1 votes >>> and >>> >> more >>> >>>> positive than negative votes are required. >>> >>>> >>> >>>> Changes in this release include: >>> >>>> >>> >>>> Fixed Bugs >>> >>>> >>> >>>> * LOG4J2-3208: Disable JNDI by default. Require log4j2.enableJndi >>> to be >>> >>>> set to true to allow JNDI. >>> >>>> >>> >>>> Tag: >>> >>>> a) for a new copy do "git clone >>> >>>> https://github.com/apache/logging-log4j2.git < >>> >>>> https://github.com/apache/logging-log4j2.git>" and then "git >>> checkout >>> >>>> tags/log4j-2.15.1-rc1” or just "git clone -b log4j-2.15.1-rc1 >>> >>>> https://github.com/apache/logging-log4j2.git < >>> >>>> https://github.com/apache/logging-log4j2.git>" >>> >>>> b) for an existing working copy to “git pull” and then “git checkout >>> >>>> tags/log4j-2.15.1-rc1” >>> >>>> >>> >>>> Web Site: https://logging.staged.apache.org/log4j/2.x/index.html < >>> >>>> https://logging.staged.apache.org/log4j/2.x/index.html>. >>> >>>> >>> >>>> Maven Artifacts: >>> >>>> >>> >> >>> https://repository.apache.org/content/repositories/orgapachelogging-1067/ >>> >>>> >>> >>>> Distribution archives: >>> >>>> https://dist.apache.org/repos/dist/dev/logging/log4j/ < >>> >>>> https://dist.apache.org/repos/dist/dev/logging/log4j/> >>> >>>> >>> >>>> You may download all the Maven artifacts by executing: >>> >>>> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate >>> >>>> >>> >> >>> https://repository.apache.org/content/repositories/orgapachelogging-1067/org/apache/logging/log4j/ >>> >> >>> >>