As we all know Log4j 1.x reached end of life in August 2015. Log4j 1.2.17 was
released on May 26, 2012. The last commit was to update the
web site 7 years ago. The changes.xml file shows there were commits up to
sometime in 2012, all of which were performed by Gary Gregory
and Christian Grobmeier who ironically both voted no to opening the repo back
up.
The point of this history is to point out that the project essentially died in
2012. We simply acknowledged it in 2015.
So now we have voted to open the repo. The question then becomes what to do
next and going forward. I see several options:
1. Create a README.md that publishes the projects EOL status and do nothing
else.
2. Create a README.md that says the project is EOL and no further big fixes or
enhancements will be made but 1.2.18 was a special
circumstance. Perform ONLY the following work for 1.2.18:
a. Make the build work with a modern version of Maven.
b. Fix the Java version bug.
c. Fix CVE-2021-4104 (expanded to address all JNDI components)
d. Fix CVE-2019-17571
The expectation is that the above would address the actual issues and not
just remove classes.
Do NOT perform a release of any kind.
3. Option 2 but only perform a source release.
4. Option 2 but perform a full release.
5. Option 4 but allow development to continue, including bug fixes and
enhancements.
I personally can see valid reasons to do any of the above. I have my own
opinion on this but I will post that in a reply to this discussion kickoff.
If you have other proposals feel free to state them.
This discussion will be followed up by a vote thread if necessary.
Ralph
