Hi Logging Team! Long time lurker here. I recently had to build something on Java 6 so thought I'd take a stab at building Log4J 1.2.17.
Using Maven-3.2.5 with Java 8 I first ran the following commands 01. mvn clean 02. mvn dependency:tree 03. mvn install 04. mvn javadoc:javadoc 05. mvn source:jar 06. mvn site:run 07. mvn install:install These all fail, but they cause all the required maven dependencies to download properly into ~/.m2. Unfortunately as far as I can tell Java 6 is no longer able to download things from Maven-Central - I suspect its SSL/TLS settings are too out of date. So I use Java 8 to get the dependencies downloaded into my ~/.m2. Then I switch over to Java 6 and run the following commands: 08. export JAVA_HOME=/opt/java/jdk1.6.0_45 09. /opt/maven/apache-maven-3.2.5/bin/mvn clean 10. /opt/maven/apache-maven-3.2.5/bin/mvn install And it seems to work! [INFO] --- maven-install-plugin:2.5.2:install (default-install) @ log4j --- [INFO] Installing /opt/mergebase/src/log4j/target/log4j-1.2.17.jar to /home/julius/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar [INFO] Installing /opt/mergebase/src/log4j/pom.xml to /home/julius/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.pom [INFO] Installing /opt/mergebase/src/log4j/target/log4j-1.2.17-javadoc.jar to /home/julius/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17-javadoc.jar [INFO] Installing /opt/mergebase/src/log4j/target/log4j-1.2.17-sources.jar to /home/julius/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17-sources.jar [INFO] [INFO] --- maven-bundle-plugin:2.1.0:install (default-install) @ log4j --- [INFO] Installing log4j/log4j/1.2.17/log4j-1.2.17.jar [INFO] Writing OBR metadata [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 01:24 min [INFO] Finished at: 2021-12-15T14:45:00-08:00 [INFO] Final Memory: 39M/583M [INFO] ------------------------------------------------------------------------ Posting it here in case anyone finds this helpful. And thanks for all your work and especially all the Log4J releases lately. yours, Julius Musseau (aka Julius Davies - I committed a few things back in 2007 to commons-codec, but have been a bit distracted since those days!) On Wed, Dec 15, 2021 at 1:08 PM Matt Sicker <boa...@gmail.com> wrote: > > I don't have any experience modifying (or really using) log4j v1, but > I think we can at least review changes and help validate a release > (along with any PMC-specific release steps to enable your efforts to > eventually get published as an official release). Having release notes > for this version to indicate this is purely a security update due to > the severity of CVE blah blah and the library is still EOL and should > be migrated to Log4j2 after mitigation. > > On Wed, Dec 15, 2021 at 2:39 PM Leo Simons <leosim...@apache.org> wrote: > > > > Ok, thanks for the pointers! > > > > Yes I'll volunteer to do some of the grunt work, though I hope some others > > join in and we'll need code review from logging experts. > > I'm not volunteering to maintain log4j 1.x for the next decade, it should > > remain EOL...will add a careful message about that. > > > > If enough of a critical mass of new contributors shows up we can try for an > > official apache release, if not an unofficial fork over on github might > > still help some. > > Speaking of github, I gave up fighting svn2git and started from the > > existing mirror (which means ugly commit messages) [1]. > > Happy to merge in some contributions there [2] > > > > Cheers, > > > > Leo > > > > [1] https://github.com/lsimons/log4j/tree/2021-security-fixes > > [2] For any newcomers who want to jump in and help, probably best to get > > your CLA and whatnot in place: > > https://logging.apache.org/log4j/2.x/guidelines.html > > https://infra.apache.org/contributors.html > > https://www.apache.org/licenses/contributor-agreements.html > > > > > > On Wed, Dec 15, 2021 at 9:02 PM Gary Gregory <garydgreg...@gmail.com> wrote: > > > > > On Wed, Dec 15, 2021 at 1:01 PM Matt Sicker <boa...@gmail.com> wrote: > > > > > > > > Same as Ralph. Glad to have some help performing an updated release, > > > > though unless we can get a few interested maintainers to join the > > > > project to help continue maintenance, it may cause a lot of confusion > > > > around EOL support. I do think it makes sense to try to make a > > > > security release due to the overall confusion from CVE-2021-44228 et > > > > al. > > > > > > I agree with Matt. > > > > > > Gary > > > > > > > > On Wed, Dec 15, 2021 at 11:54 AM Ralph Goers < ralph.go...@dslextreme.com> > > > wrote: > > > > > > > > > > No objections if you are volunteering to do the work. I do have > > > concerns. Unless a new set of contributors > > > > > wants to become part of the logging project and support Log4j 1 we do > > > not want to give the impression that > > > > > it is being supported. > > > > > > > > > > Ralph > > > > > > > > > > > > > > > > > > > > > On Dec 15, 2021, at 10:14 AM, Leo Simons <leosim...@apache.org> > > > wrote: > > > > > > > > > > > > Hey folks, > > > > > > > > > > > > First, thanks for all the hard work on 2.x, especially these last > > > couple of > > > > > > weeks! > > > > > > Please take care of yourself and be kind to yourself :) > > > > > > Obviously 2.x should get full focus from all that can productively > > > > > > contribute to it. > > > > > > > > > > > > I do agree with Vladimir about giving 1.x a little attention. > > > > > > With the whole world doing forensics it is clear how widespread 1.x > > > still > > > > > > is. > > > > > > Seems worth it to make a slightly safer lib, for all those people > > > that > > > > > > cannot easily upgrade to 2.x, so they can just drop in a new jar. > > > > > > > > > > > > I investigated the current build a bit. Notes below mail. > > > > > > It -does- seem feasible for a logging.a.o committer with SVN write > > > access + > > > > > > people.apache.org access to make a new 1.x release 'the ancient > > > way' with > > > > > > limited effort. > > > > > > I.e. https://logging.apache.org/log4j/1.2/building.html is mostly > > > workable > > > > > > today. > > > > > > But...then you are stuck with very old-style library maintenance. > > > > > > Best clean house a bit more (right?). > > > > > > > > > > > > If cleanup is the way to go, seems some next steps include > > > > > > * convert with svn2git > > > > > > * I kicked off a run, takes a few hours > > > > > > * bump the build toolchain up to modern standards/versions > > > > > > * set up OpenJDK 6 as a mvn toolchain for compiling, for max > > > > > > compatibility (toolchain pom.xml patch below). > > > > > > * use any version of Maven 3 on an LTS version of Ubuntu with any > > > JDK > > > > > > (7+), clean up the build setup, delete some ancient cruft. > > > > > > * don't bother releasing new binary versions of the windows DLLs, > > > people > > > > > > who need them can use the old DLLs or build from source. > > > > > > * make some patches to delete vulnerable/network code > > > > > > * perhaps add some warnings for now-unsupported (JMS) config > > > > > > * add tests proving the new behavior > > > > > > * write some docs on how to use the new version and link to 2.x > > > upgrade > > > > > > instructions > > > > > > * draft some release notes > > > > > > * fix generated site > > > > > > * include the end-of-life disclaimer that's in the HTML (into > > > template?) > > > > > > * update with additional instructions > > > > > > * make the site setup work with apache cms > > > > > > * make it real easy to review the result, bake & propose an RC > > > > > > * hand off to committers/PMC for release > > > > > > > > > > > > Make sense? Any suggestions or objections? > > > > > > > > > > > > Nothing too hard, just grunt work :) > > > > > > > > > > > > > > > > > > Cheers, > > > > > > > > > > > > > > > > > > Leo > > > > > > > > > > > > > > > > > > Main findings > > > > > > ------------- > > > > > > * Main build is "fine" > > > > > > * Log4J 1.x seems to build fine with modern JDK and modern Maven > > > 3, > > > > > > with source/target=1.4 set > > > > > > * Log4J 1.x seems to build fine on ubuntu 14.0.4.6, with JDK 1.7 > > > for > > > > > > maven plus JDK 1.6 toolchain for compile, and an ancient Maven 3 > > > > > > * probably best to pick this option 'for safety' > > > > > > * see detailed howto below > > > > > > * Compiles fine, tests pass > > > > > > * Maven release plugin seems setup correctly and working > > > > > > * needs committer with SVN write access to do `maven > > > > > > release:prepare; maven release:perform` > > > > > > * JNI/native build is not worrisome > > > > > > * I did not attempt to re-build the NT DLLs, but this is not > > > needed to > > > > > > ship a new source dist or new jar, any users can pick old .dll with > > > new jar > > > > > > * jnd_md.h referred in build is easy to get: version from Oracle > > > JDK 6 > > > > > > is identical to OpenJDK 11 version aside from license header > > > > > > * Site > > > > > > * Maven site generates ok, but > > > > > > * publishing instructions are wrong > > > > > > * misses the end of life header > > > > > > * Probably HTML site was edited by hand to add this header? > > > > > > * Would suggest to simply edit HTML by hand some more > > > > > > > > > > > > Detailed steps to produce a build > > > > > > --------------------------------- > > > > > > * download and install virtualbox > > > > > > * download and install ubuntu 14.04.6 LTS 64 bit VM > > > > > > * https://www.osboxes.org/ubuntu/ > > > > > > * this is the oldest supported LTS ubuntu > > > > > > * ubuntu 12.04 LTS is closer but is unsupported > > > > > > * this has openjdk 6 > > > > > > * password osboxes.org > > > > > > * apt-get dist-upgrade && reboot > > > > > > * install virtualbox guest additions and reboot > > > > > > * https://www.osboxes.org/guide/ > > > > > > * to get jni_md.h: > > > > > > * this does not seem to be strictly needed to make a release, the > > > > > > native build gets skipped on linux > > > > > > * best option: get it from > > > > > > > > > https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/windows/native/include/jni_md.h > > > > > > * this is GPLv2 + classpath exception, classpath exception > > > makes it > > > > > > fine to use here > > > > > > * cumbersome: download and install IE11 on Windows 7 64 bit VM > > > > > > * > > > https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ > > > > > > * password Passw0rd! > > > > > > * run windows update and reboot > > > > > > * install virtualbox guest additions and reboot > > > > > > * https://www.osboxes.org/guide/ > > > > > > * download and install sun/oracle JDK 6u41 (matching ubuntu) > > > > > > * > > > > > > > > > https://www.oracle.com/java/technologies/javase-java-archive-javase6-downloads.html > > > > > > * open \Program Files\Java\jdk_1.6.....\include\win32 > > > > > > * copy jni_md.h and paste to homedir on ubuntu > > > > > > * alternative: get it from https://github.com/lsimons/jni_md.h > > > > > > * got this file using the steps above > > > > > > * don't use by downloading from here, that might be a bit > > > illegal > > > > > > in your jurisdiction > > > > > > * proves it is the same file as in JDK11 as per above > > > > > > > > > > > > * follow rest of build instructions > > > > > > * apt-get install openjdk-6-jdk > > > > > > * apt-get install maven2 subversion mingw32 xemacs21 > > > openssh-server > > > > > > * sudo cp /mnt/Downloads/jni_md.h ~osboxes/ > > > > > > * sudo chown osboxes:osboxes ~osboxes/jni_md.h > > > > > > * export JNI_WIN32_INCLUDE_DIR=/home/osboxes > > > > > > * export SVN_EDITOR=xemacs21 > > > > > > * mkdir ~/.m2 > > > > > > * cat >~/.m2/settings.xml <<END > > > > > > <settings > > > > > > xmlns="http://maven.apache.org/SETTINGS/1.0.0"; > > > > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > > > > > xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 > > > > > > https://maven.apache.org/xsd/settings-1.0.0.xsd";> > > > > > > <!--<mirrors> > > > > > > <mirror> > > > > > > <id>central-https</id> > > > > > > <name>Central over HTTPS</name> > > > > > > <url>https://repo1.maven.org/maven2</url> > > > > > > <mirrorOf>central</mirrorOf> > > > > > > </mirror> > > > > > > </mirrors>--> > > > > > > <profiles> > > > > > > <profile> > > > > > > <id>https</id> > > > > > > <activation> > > > > > > <activeByDefault>true</activeByDefault> > > > > > > </activation> > > > > > > <repositories> > > > > > > <repository> > > > > > > <id>central</id> > > > > > > <name>Central Repository</name> > > > > > > <url>https://repo1.maven.org/maven2</url> > > > > > > <layout>default</layout> > > > > > > <snapshots> > > > > > > <enabled>false</enabled> > > > > > > </snapshots> > > > > > > </repository> > > > > > > </repositories> > > > > > > <pluginRepositories> > > > > > > <pluginRepository> > > > > > > <id>central</id> > > > > > > <name>Central Repository</name> > > > > > > <url>https://repo1.maven.org/maven2</url> > > > > > > <layout>default</layout> > > > > > > <snapshots> > > > > > > <enabled>false</enabled> > > > > > > </snapshots> > > > > > > <releases> > > > > > > <updatePolicy>never</updatePolicy> > > > > > > </releases> > > > > > > </pluginRepository> > > > > > > </pluginRepositories> > > > > > > </profile> > > > > > > </profiles> > > > > > > </settings> > > > > > > END > > > > > > * svn co http://svn.apache.org/repos/asf/logging/log4j/trunk > > > log4j > > > > > > * cd log4j > > > > > > * mvn package release:prepare > > > > > > fails with: > > > > > > > > > > > > [WARNING] Unable to get resource > > > > > > 'org.apache.felix:maven-bundle-plugin:pom:2.1.0' from repository > > > central ( > > > > > > https://repo.maven.apache.org/maven2): Error transferring file: > > > Received > > > > > > fatal alert: protocol_version > > > > > > Downloading: > > > > > > > > > https://repo.maven.apache.org/maven2/org/apache/felix/maven-bundle-plugin/2.1.0/maven-bundle-plugin-2.1.0.pom > > > > > > > > > > > > so...maven 3 it is. That needs JDK 7. > > > > > > > > > > > > * sudo apt-get install openjdk-7-jdk > > > > > > * sudo apt-get install maven # 3.0.5... > > > > > > * sudo update-alternatives --config mvn > > > > > > * vi ~/log4j/pom.xml > > > > > > > > > > > > * patch pom.xml <<END > > > > > > Index: pom.xml > > > > > > =================================================================== > > > > > > --- pom.xml (revision 1895980) > > > > > > +++ pom.xml (working copy) > > > > > > @@ -89,6 +88,26 @@ > > > > > > <plugins> > > > > > > <plugin> > > > > > > <groupId>org.apache.maven.plugins</groupId> > > > > > > + <artifactId>maven-toolchains-plugin</artifactId> > > > > > > + <version>1.1</version> > > > > > > + <executions> > > > > > > + <execution> > > > > > > + <goals> > > > > > > + <goal>toolchain</goal> > > > > > > + </goals> > > > > > > + </execution> > > > > > > + </executions> > > > > > > + <configuration> > > > > > > + <toolchains> > > > > > > + <jdk> > > > > > > + <version>1.6</version> > > > > > > + <vendor>openjdk</vendor> > > > > > > + </jdk> > > > > > > + </toolchains> > > > > > > + </configuration> > > > > > > + </plugin> > > > > > > + <plugin> > > > > > > + <groupId>org.apache.maven.plugins</groupId> > > > > > > <artifactId>maven-resources-plugin</artifactId> > > > > > > <configuration> > > > > > > <encoding>UTF-8</encoding> > > > > > > END > > > > > > > > > > > > * cat >~/.m2/toolchains.xml <<END > > > > > > <?xml version="1.0" encoding="UTF-8"?> > > > > > > <toolchains> > > > > > > <!-- JDK toolchains --> > > > > > > <toolchain> > > > > > > <type>jdk</type> > > > > > > <provides> > > > > > > <version>1.6</version> > > > > > > <vendor>openjdk</vendor> > > > > > > </provides> > > > > > > <configuration> > > > > > > <jdkHome>/usr/lib/jvm/java-1.6.0-openjdk-amd64</jdkHome> > > > > > > </configuration> > > > > > > </toolchain> > > > > > > </toolchains> > > > > > > END > > > > > > * mv ~/.m2/settings.xml ~/.m2/settings.xml.bak # that was for > > > maven 2 > > > > > > > > > > > > * mvn package release:prepare with settings: > > > > > > > > > > > > [INFO] Checking dependencies and plugins for snapshots ... > > > > > > What is the release version for "Apache Log4j"? (log4j:log4j) > > > 1.2.18: : > > > > > > 1.2.18-RC1 > > > > > > What is SCM release tag or label for "Apache Log4j"? (log4j:log4j) > > > > > > log4j-1.2.18-RC1: : v1.2.18-RC1 > > > > > > What is the new development version for "Apache Log4j"? (log4j:log4j) > > > > > > 1.2.18-RC2-SNAPSHOT: : 1.2.18-RC2-SNAPSHOT > > > > > > [INFO] Transforming 'Apache Log4j'... > > > > > > > > > > > > fails at the very end due to permissions (good): > > > > > > > > > > > > [INFO] Executing: /bin/sh -c cd /home/osboxes/log4j && svn > > > > > > --non-interactive commit --file /tmp/maven-scm-895115457.commit > > > --targets > > > > > > /tmp/maven-scm-5194221240786270512-targets > > > > > > [ERROR] svn: E175013: Commit failed (details follow): > > > > > > [ERROR] svn: E175013: POST of '/repos/asf/!svn/me': 403 Forbidden ( > > > > > > http://svn.apache.org) > > > > > > > > > > > > * mvn site assembly:assembly also works, but shows an old site! > > > > > > > >
