> On Nov 5, 2022, at 6:08 AM, Elliotte Rusty Harold <elh...@ibiblio.org> wrote:
>
> After log4shell last year, I no longer have any patience for third
> party logging libraries, full stop.
>
> IMO logging should be done through java.util.logging, nothing else.
> This is fully functional since Java 1.4 twenty years ago. Log4j,
> slf4j, plexus-logging, etc. are all efforts to solve a problem we
> don't have any more. They are not needed and they introduce dependency
> problems and security issues.
Wow. I sure hope you mean this in the context of Maven only. JUL is the
absolute worst API and implementation the JDK developers could have come
up with. I have it on good authority that Ceki (the original author of Log4j 1
and
SLF4J) was consulted before JUL was added to JDK 1.4 but they pretty much
ignored everything he told them. They have never enhanced it - other than to
implement platform logging to avoid problems using JUL internally.
>
> For one example, Google has used java.util.logging exclusively in all
> its internal Java code since at least 2008 and never needed anything
> more. This is a matter of policy inside Google, and as a result of
> this log4shell was close to a non-event for one of the largest Java
> shops on the planet. It wasn't a complete non-event only because of
> third party libraries that depended on log4j and open source projects
> that weren't quite as strict about following Google rules.
I can absolutely guarantee you that if Google is actually using JUL that they
have written plenty of their own code on top of it since JUL is woefully
incomplete.
Ralph
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
