Ceki, Thank you for posting this. Your input here is always welcome so far as I am concerned. This is a much better place to hold discussions than Twitter.
See below. > On Jan 6, 2022, at 3:00 AM, Ceki Gülcü <[email protected]> wrote: > > > Dear Ron, > > Thank you for this detailed and very well crafted message. I would like to > make the following observations. > > The fact that the decision was unanimous on such a delicate matter is quite > surprising and very interesting in itself with respect to group dynamics. Are you insinuating that PMC members were somehow coerced into making the votes they did? That is not the case. The PMC held a video call last week, as it has done a number of times over the last month, to discuss this. As you can see in the discussion thread on this list, no one was interested in pursuing long term development of Log4j 1, as its primary proponent here wanted. So the discussion revolved solely around doing a single release or not. We were partly swayed when we found that there are already at least 2 forks outside the ASF that fix the CVEs but include many of the limitations a release here would have faced. The reasons listed in the statement below are indeed the reasons the vote was unanimous. > > Coming back to the issue at hand, the notion that log4j 2.x offers a natural > migration path from log4j 1.x is rather doubtful. You certainly have a right to be doubtful. We know there are users who mucked way too far into the internals of Logj4 1 that any migration support would realistically help them. But we also know the support works for the cases we have tested. Will it need improvement? Of course. Will it have bugs? Of course. Are we committed to fixing an improving the support? Yes. > > As for the various log4j 1.x bugs, log4j 2.x also has numerous bugs and some > of the design choices in 2.x are very much debatable. It is no great surprise that you find the architectural choices debatable. After all, had you agreed to them when they were proposed for Logback Log4j2 probably wouldn’t exist, along with the Logging Services project. Does it have bugs? All software has bugs. The primary issue behind CVE-2021-44228 was a poor implementation choice that was made back when Log4j 2 was still in the experimental phase and you were still active on the PMC. The other design choices you rejected have all had the desired results. Still, there is always room for improvement. > > More practically speaking, I think it is important to fix the critical issues > in log4j 1.x. The effort involved is reasonable and is likely to help a lot > of people. Most of us agree. Ironically, those that do not are the only PMC members left who committed to Log4j 1 while it was active. Had you come forward with an offer to lead the effort to do a “one and done” release I suspect the outcome of the vote would have been different. Despite GitHub showing your last commits to be 15 or 16 years ago I am sure you still know that code base better than anyone. Coming by now to criticize the vote instead of offering to help during the discussion doesn’t really help anyone. > > Best regards and a happy new year. > > -- > Ceki Gülcü > Ralph
