I’m +1 for option one. For projects that ignored published CVEs for multiple years and then ignored the EOL announcement, I don’t see any reason they’d bother updating their ancient copies. Given the release difficulty in making something that’s compatible with previous releases makes this even more of a waste of time.
— Matt Sicker > On Jan 1, 2022, at 11:20, Jochen Wiedmann <jochen.wiedm...@gmail.com> wrote: > > On Sat, Jan 1, 2022 at 4:40 PM Xeno Amess <xenoam...@gmail.com> wrote: > >>> People should migrate to log4j2. >> good thinking, but what if they migrate to logback... > > No, it's not (good thinking, that is). > > Log4j1 is a part of basically *every* Java based server software, that > I am aware of. People don't want to touch those. They need a drop-in > replacement, not a successor. Over the last week, I was *really > puzzled* about all the stuff that claims to be affected by the > problems in log4j2. And that's the lesser used of the two... > > Jochen > > > > Philosophy is useless, theology is worse. (Industrial Desease, Dire Straits)
