Volkan>To the best of Volkan>my knowledge, nobody has reached out to us with such a request except you Volkan>and Leo
I think they just swallowed the pill that "1.x is marked EOL", and they did workarounds. a) make security team understand "the CVEs of 1.x are not that impactful for them" b) make internal forks that cut the problematic classes c) RedHat having their own fork However, now log4j went on the radars again, so I believe it is way easier (and better) to **fix** CVE than to keep explaining that "CVEs are not important in this specific case" I believe you might have access to the download stats for log4j.jar, so you can relate on the number of its usages. However, now I realize that the project itself is NOT dead as long as there are people that want to maintain it. It is not wise to say "log4j 1.x is dead" or "log4j 1.x is EOL" when there are people willing to maintain and release new versions. Note: I am not that crazy to do major refactorings in 1.x branch. So I figured out that releasing log4j 18+ ( :)))) ) would make the lives of MANY MANY engineers and apps way easier. They would have a drop-in-replacement that fixes CVEs, improves security all over the world, and so on. Volkan>I bet it is a matter of months people will start asking for Volkan>other fixes once we make a 1.x release. Now we have a real issue: 1.x has LOTs of known CVEs. Could we refrain from theoretical discussions? Just in case, if in February you observe 10 newly created PRs, then it would be a nice problem to have. If all the PRs turn out to be trivial (e.g. fix NPE in a special case, or fix java.version parsing for Java 17), then you could just merge them and release 1.2.19 If the review would take noticeable time, you could just say: "sorry, I have no time for reviewing the change, please consider creating a new PMC for log4j 1.x". **everybody's** time is limited. If you have no time or desire to maintain/support/review/release 1.x, then just ask the others do to that (e.g. invite new people to PMC or give away 1.x to another PMC). It might be there will be 10PRs, and there will be *noone* willing to review and nobody willing to inherit 1.x Then the PRs would be just abandoned. For instance, the current LOG4J2 JIRA has 809 issues. I doubt you will ever fix all of them :) So I doubt the question of "what do you do with old issues" or "what if there are 100500 open PRs" add any value. WDYT? Vladimir
