I agree with Remko on all his points. As I've stated before, IF there is a 1.2.18, it should ONLY be for CVEs, and where applicable, fixed in the same style as we have for 2.x. This is, IMO, what would be best for users *short* of migrating for 2.x.
A problem from my perspective will be users thinking the project is resurrected and asking for "just this little fix" or "just that little feature", which would be a "no" from me. We have a 1.2 compatibility layer in 2.x, let's make that better so that 2.x could become as close as possible to a drop-in replacement for 1.2. Gary On Tue, Dec 21, 2021 at 8:36 AM Remko Popma <[email protected]> wrote: > Vladimir, > > Have you had a chance to work on a patch for the security vulnerabilities? > > While there is understandably not much interest in “resurrecting” the > Log4j 1.x project, overall people are positive about releasing a 1.2.18 > with security patches. > > I think it would be most helpful if we can stay focused on those security > patches rather than pushing the PMC for an effort to revive an EOL project. > > I can see how things appear to be moving very slowly from your > perspective, but as Ralph pointed out the PMC is pretty busy with 2.x patch > releases and the flood of email that has been piling up. > > I see your enthusiasm and eagerness to contribute and that’s really great! > I would suggest that you direct that energy towards looking at the Log4j > 1.x source code, figuring out what classes should be modified in which way, > and how to test those changes. > And discussing such code changes on the mailing list together with fellow > enthusiasts. > > Migration to git will happen. Maybe not as fast as you would like, but > please cut the PMC some slack in this stressful time. > > Surely you can start working on the actual security improvements without > re-incubating a Log4j 1.x project, in parallel with (while waiting for) the > migration from svn to git? > > Onwards, > > Remko > > > > On Dec 21, 2021, at 20:52, Vladimir Sitnikov < > [email protected]> wrote: > > > > Ron, > > > > I know these are not easy times for you, > > however, it looks like we are going in circles. > > > > There's visible demand for releasing fixes for 1.x: > > https://lists.apache.org/thread/llgp7b9v1t081o3215o7xq4zpct1x0b4 > > > > So the question is > > "Could you sponsor the project or do you want Incubator to do that?" > > > > I see the current crew is not interested in fixing and releasing 1.x. > > Why don't you just allow others to fix things? > > > > Vladimir >
