Hey, On Sat, Dec 18, 2021 at 1:52 PM Vladimir Sitnikov < sitnikov.vladi...@gmail.com> wrote:
> >Similarly to set up git(hub) requires a PMC member. > >Hopefully the [VOTE] on that is revisited and then someone sets it up. > > Would you please express your opinion on "[VOTE] Move log4j 1.x from SVN to > Git..." thread? > Non-committers can vote. > Sure, done :). I prefer to [VOTE] as little as possible, and instead to seek out, understand and resolve all advice/concerns/objections so that when a vote is finally needed it's easy / pro-forma. > Frankly speaking, it is really sad that committers and PMCs are silent > regarding 1.x security. > Hmm, is that what you think people are doing? I look at it very differently. Several 2.x committers have already chimed in with advice and suggestions and have even said they were willing to do some of the work. For me the real sadness here is in the very distant past, back in Jakarta days, when fights happened and many of the log4j 1.x people left. Asking the people who volunteered to pick up the pieces and clean up to now do more than they already did is asking a lot. Meanwhile I think the team here has done really well suddenly facing tremendous pressure. Given the state of the internet, I think their focus on 2.x is super needed and smart. I can only imagine how much work happens behind the scenes. I've been quite positively surprised by the amount of attention that's still been available for 1.x. So I'm not sad, I'm grateful! > If all the current members for PMC logging are indifferent regarding 1.x, > can there be a new PMC for log4j 1.x? > Hrmpf. Do you have any idea how much *work* that is? :) I have less than zero interest in that. > >In that case we can put an unofficial release somewhere on github. > > I think there are many forks that fix 1.x security, especially, in-house > ones. > For instance, https://github.com/JetBrains/intellij-deps-log4j I know so! Here's a couple interesting forks: *fork commits* https://github.com/sebasjm/log4j 136 https://github.com/albfernandez/log4j 44 https://github.com/DarkPhoenixs/log4j-patch 32 https://github.com/lsimons/log4j 30 (itsa me! :-) ) https://github.com/rj08-97/log4j 22 https://github.com/vinzlercodes/log4j 22 https://github.com/clhsieh211/log4j 17 https://github.com/appian/log4j/tree/appian_1_2_17 14 *not bothered to fork commits* https://github.com/ltslog/ltslog 12 https://github.com/JetBrains/intellij-deps-log4j 2 Tragedy of the github commons: many find these days it's much easier to fork than to contribute. There's a lot of build fixes, some performance tuning, some small features, and a lot of deleting code due to security. Didn't really see anyone do their utmost to preserve compatibility beyond what they need for themselves. I'm going to guess for the 100 public ones there are at least a 1000 in-company forks like this that you don't see. Cheers, Leo
