I think it would be nice to do a release just to update dependencies. Gary
On Tue, Oct 10, 2023, 2:33 PM Christian Grobmeier <grobme...@apache.org> wrote: > Hello, > > We have been talking about log4j-audit (same thread as with log4j-server). > > I have checked today after seeing Piotr's message, and even after reading > the readme, I am still trying to figure out the purpose of this product. > That aside, I am concerned the last change was four years ago. -audit is > depending to Log4j 2.10, which is affected by log4shell. > > I checked on the releases, and I see only RCs here: > https://github.com/apache/logging-log4j-audit/tags > But two releases here: > https://logging.apache.org/log4j-audit/latest/download.html > > What message are we sending? > > As I understand it we are currently promoting software that contains > log4shell without any word of warning or any development plan on the > horizon. > > Do we have any development cycles left to fix at least the security > issues, with the Flume project probably merging into this project? > > I am not asking for the "will power", but the "real power": if it is not > realistic to maintain this project, we should add warning labels, consider > EOL, and/or actively search for contributors. > > I am willing to support a bit, but only if I understand the use of -audit > :) > > Kind regards, > Christian >
