On Tue, Dec 14, 2021 at 11:44 PM Vladimir Sitnikov < [email protected]> wrote:
> >My understanding is it requires an extremely > >old JDK. > >Have you actually tried building the project to see if this is true? > > I was able to build the project with Maven3 and Java 1.8 by commenting out > tools.jar, "site-related", "antrun-related" stuff in pom.xml. > It did produce logj4.jar that worked with Weblogic APP. > > ---- > > There's an alternative option: > * cut the files from the source > * take log4j-1.2.17.jar > * remove the offending classes > * re-save the file as log4j-1.2.18.jar > * manually upload it to oss.sonatype.org via UI :) > > It might be easier than trying to find the proper tools for the > compilation. > About the alternative solution: How would we then be able to ever release a log4j-1.2.19 jar if we find another security vulnerability? I don't like this idea. If we do a new Log4j 1.x release, we should do it from source. I believe that 1.2.17 targets Java 1.4(!), but it may be the case that the oldest JDK available from Oracle is Java 5. We can consider setting the compiler option to create Java 1.4 byte code, since we are only removing classes. (Vladimir, is this correct?) Also, I think we can consider not supporting any appenders that require native code. I believe that last one was one of the major stumbling blocks, I could be wrong. > > Vladimir >
