Vladimir, The PMC is totally focused on resolving issues for log4j 2 at the moment. We are still getting tons of emails you can’t see. So if it seems like we are being unhelpful it is entirely because we are focused on that.
We’ve stated several times that we don’t think resurrecting Log4j 1.x permanently is a good idea. Besides the vulnerabilities the code has serious threading issues that cannot be fixed with Log4j 1’s architecture. While I wasn’t on the Logging Services PMC when discussions about what to do were going on I read the email threads. There were many discussions about breaking compatibility that no one wanted to do, which is ultimately how SLF4J and Logback came into existence. If you are interested in that sort of thing you can go read to log4j dev list from 15 years or so ago. By the time I joined the Logging Services PMC most log4j 1.x development had stopped. Some of the contributors were still around but no one was doing much of anything. The point of this is that we aren’t against fixing the CVEs in Log4j 1, but not by having stuff fail because the class is no longer there. JNDI can be scaled down as we have done in Log4j 2. The log server could prevent deserialization of unknown or arbitrary classes. Etc. Ralph > On Dec 20, 2021, at 10:59 AM, Vladimir Sitnikov <sitnikov.vladi...@gmail.com> > wrote: > > Ron>wouldn't a more efficient approach be to offer support to > Ron>Logging Services > > Ron, > I did try my best to offer my help with updating log4j 1.x. > Unfortunately, I failed and none of Logging Services PMC accepted it. > Here are the facts: > https://lists.apache.org/thread/6lhkyytvpg4md757tfydb1k0mmp5j1oc > > Ron>Re-starting the entire EOL'ed Log4j1 > Ron>engine with a new crew to fix one issue is confusing > > It is confusing for me as well, however, the current crew does seem to > cooperate > regarding the changes to 1.x. > > Ron>I don't get the sense folks are against fixing things > > 1) There are multiple known open CVEs in log4j 1.x. The team is not really > fixing known security issues. > 2) All the responses from the current PMC are behind the lines of > "evangelizing 2.x" > rather than suggesting a way to fix 1.x and release it. > > Ron>To answer your > Ron>question about sponsorship, I want to explore partnering with Logging > Ron>Services before forming a new Log4j1 team. > > For example, my very basic suggestion was "let's move 1.x to Git for easier > contribution", > however, none of the PMC members approved the change. > > When it comes to code-related changes, the reviews are vague, and it is > really hard (impossible?) to find consensus. > On top of that, the review is complicated by the fact that **multiple** > fixes are needed for log4j 1.x > 1) There are multiple known CVEs regarding 1.x > 2) 1.x uses a really old build system, so, in my opinion, the build scripts > should be updated before any other changes > > Vladimir
