This is a vote to release the Apache Log4j 2.22.0. Website: https://logging.staged.apache.org/log4j GitHub: https://github.com/apache/logging-log4j2 Commit: a1634d695e5702ecab505fea5aadaf9890641487 Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j Nexus: https://repository.apache.org/content/repositories/orgapachelogging-1238 Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0
Please download, test, and cast your votes on this mailing list. [ ] +1, release the artifacts [ ] -1, don't release, because... This vote is open for 72 hours and will pass unless getting a net negative vote count. All votes are welcome and we encourage everyone to test the release, but only the Logging Services PMC votes are officially counted. == Review kit The minimum set of steps needed to review the uploaded distribution files can be summarized as follows: # Verify checksums shasum --check *.sha512 # Verify signatures for sigFile in *.asc; do gpg --verify $sigFile; done # Verify reproduciblity umask 0022 unzip *-src.zip -d src cd src export NEXUS_REPO=https://repository.apache.org/content/repositories/orgapachelogging-1238 sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO == Release notes This release provides a CycloneDX Software Bill of Materials (SBOM)[1] along with each artifact and contains bug fixes addressing issues in the JPMS & OSGi infrastructure overhauled in `2.21.0`, dependency updates, and some other minor fixes and improvements. [1] https://cyclonedx.org/capabilities/sbom === CycloneDX Software Bill of Materials (SBOM) This is the first Log4j release that provides a CycloneDX Software Bill of Materials (SBOM)[1] along with each artifact. Generated SBOMs are attached as artifacts with `cyclonedx` classifier and XML extensions, that is, `<artifactId>-<version>-cyclonedx.xml`. They contain `vulnerability-assertion` references to a CycloneDX Vulnerability Disclosure Report (VDR)[2] that Apache Logging Services uses for all projects it maintains. This VDR is accessible through the following URL: https://logging.apache.org/cyclonedx/vdr.xml SBOM generation is streamlined by `logging-parent`, see its website[3] for details. [2] https://cyclonedx.org/capabilities/vdr [3] https://logging.apache.org/logging-parent/latest/#cyclonedx-sbom === Changed * Change the order of evaluation of `FormattedMessage` formatters. Messages are evaluated using `java.util.Format` only if they don't comply to the `java.text.MessageFormat` or `ParameterizedMessage` format. (#1223) * Change default encoding of HTTP Basic Authentication to UTF-8 and add `log4j2.configurationAuthorizationEncoding` property to overwrite it. (#1970) * Update `com.fasterxml.jackson:jackson-bom` to version `2.16.0` (#1974) * Update `com.github.luben:zstd-jni` to version `1.5.5-10` (#1940) * Update `com.google.guava:guava` to version `32.1.3-jre` (#1875) * Update `io.netty:netty-bom` to version `4.1.101.Final` (#1960) * Update `org.eclipse.persistence:org.eclipse.persistence.jpa` to version `2.7.13` (#1900) * Update `org.fusesource.jansi:jansi` to version `2.4.1` (#1907) * Update `org.mongodb:bson` to version `4.11.1` (#1957) * Update `org.springframework:spring-framework-bom` to version `5.3.30` * Update `org.springframework.boot:spring-boot` to version `2.7.17` (#1874) * Update `org.springframework:spring-framework-bom` to version `5.3.31` (#1973) * Update `org.zeromq:jeromq` to version `0.5.4` (#1878) === Removed * Removed unused `FastDateParser` which was causing unnecessary heap overhead (LOG4J2-3672, #1848) === Fixed * Fix MDC pattern converter causing issues for `%notEmpty` (#1922) * Export missing OSGi & JPMS modules in `log4j-layout-template-json` and `log4j-1.2-api` (#1895) * Fix `spring-test` dependency scope change (LOG4J2-3675) * Fix JPMS descriptors causing `jlink` issues (#1896) * Add missing `Implementation-` and `Specification-` entries to `MANIFEST.MF` (implemented by `logging-parent` version `10.3.0` update) (#1923) * Fix `NotSerializableException` thrown when `Logger` is serialized with a `ReusableMessageFactory` (#1884)
