>Now we have a real issue: 1.x has LOTs of known CVEs. >Could we refrain from theoretical discussions?
We document CVE-2019-17571/ Where is this CVE tonnage? Gary On Thu, Dec 23, 2021 at 10:39 AM Vladimir Sitnikov < sitnikov.vladi...@gmail.com> wrote: > Volkan>To the best of > Volkan>my knowledge, nobody has reached out to us with such a request > except you > Volkan>and Leo > > I think they just swallowed the pill that "1.x is marked EOL", and they did > workarounds. > a) make security team understand "the CVEs of 1.x are not that impactful > for them" > b) make internal forks that cut the problematic classes > c) RedHat having their own fork > > However, now log4j went on the radars again, > so I believe it is way easier (and better) to **fix** CVE than to keep > explaining that > "CVEs are not important in this specific case" > > I believe you might have access to the download stats for log4j.jar, so you > can > relate on the number of its usages. > > However, now I realize that the project itself is NOT dead as long as there > are > people that want to maintain it. > It is not wise to say "log4j 1.x is dead" or "log4j 1.x is EOL" when there > are people > willing to maintain and release new versions. > Note: I am not that crazy to do major refactorings in 1.x branch. > > So I figured out that releasing log4j 18+ ( :)))) ) would make the lives of > MANY MANY > engineers and apps way easier. They would have a drop-in-replacement that > fixes CVEs, > improves security all over the world, and so on. > > Volkan>I bet it is a matter of months people will start asking for > Volkan>other fixes once we make a 1.x release. > > Now we have a real issue: 1.x has LOTs of known CVEs. > Could we refrain from theoretical discussions? > > Just in case, if in February you observe 10 newly created PRs, > then it would be a nice problem to have. > > If all the PRs turn out to be trivial (e.g. fix NPE in a special case, or > fix java.version parsing for Java 17), > then you could just merge them and release 1.2.19 > > If the review would take noticeable time, you could just say: > "sorry, I have no time for reviewing the change, please consider creating a > new PMC for log4j 1.x". > > **everybody's** time is limited. If you have no time or desire to > maintain/support/review/release 1.x, > then just ask the others do to that (e.g. invite new people to PMC or give > away 1.x to another PMC). > > It might be there will be 10PRs, and there will be *noone* willing to > review and nobody willing to inherit 1.x > Then the PRs would be just abandoned. > > For instance, the current LOG4J2 JIRA has 809 issues. I doubt you will ever > fix all of them :) > So I doubt the question of "what do you do with old issues" or "what if > there are 100500 open PRs" > add any value. > > WDYT? > > Vladimir >