Hi, folks. I'm +1 to both updating to log4j2 or logback and supporting security updates for some time if we can but encourage migration to 2.2+ ASAP. Maybe we should publish some EOL date in the 2.2.0 announcement if we didn't before. It should give both time scope for migration and limit committers' burden supporting 1.x with transparent EOL date.
Just my 2c -- Best regards, Konstantin Gribov. On Wed, Dec 15, 2021 at 4:05 AM Luís Filipe Nassif <lfcnas...@gmail.com> wrote: > Sorry about the additional work, Tim. I thought upgrading from log4j-1.x to > 2.x on Tika-1.x maybe could not be that hard and didn't know about breaking > changes. > > Related to Eric's email, would we support Tika-1.x security updates for > some while (that was my intent with the proposal above)? Was this already > discussed? > > Best regards, > Luis Filipe > > > > Em seg., 13 de dez. de 2021 às 17:23, Tim Allison <talli...@apache.org> > escreveu: > > > Yes. That was the reasoning behind my -0. I don't think this will > > destroy our resources, but yes, please do migrate to 2.x asap. > > > > > > On Mon, Dec 13, 2021 at 3:13 PM Eric Pugh > > <ep...@opensourceconnections.com> wrote: > > > > > > Isn’t the goal of Tika 2 to mean that we no longer work on Tika 1? > > Does the Tika community have enough developer bandwidth to continue to > > maintain Tika 1 while also pushing forward on Tika 2? > > > > > > I worry that we’ll fall into that situation where people just end up > > using Tika 1 for forever, especially if there are new updates to it that > > are happening, which then encourages folks not to move to Tika 2. > > > > > > > > > > > > > > > > On Dec 13, 2021, at 2:49 PM, Tim Allison <talli...@apache.org> > wrote: > > > > > > > > Sounds like 2 +1 to my -0. :D I'll start working on this now. > > > > > > > > On Mon, Dec 13, 2021 at 2:09 PM Nicholas DiPiazza > > > > <nicholas.dipia...@gmail.com> wrote: > > > >> > > > >> I prefer upgrade to log4j2 > > > >> > > > >> On Mon, Dec 13, 2021, 12:05 PM Tim Allison <talli...@apache.org> > > wrote: > > > >> > > > >>> All, > > > >>> I'm currently in the process of building the rc1 for Tika 2.x. On > > > >>> TIKA-3616, Luís Filipe Nassif asked if we could upgrade log4j to > > > >>> log4j2 in the 1.x branch. I think we avoided that because it would > > be > > > >>> a breaking change(?). There are security vulns in log4j and it hit > > > >>> EOL > > > >>> in August 2015. > > > >>> Should we upgrade the Tika 1.x branch for log4j2? > > > >>> > > > >>> Best, > > > >>> > > > >>> Tim > > > >>> > > > >>> > > > >>> [1] > > > >>> > > > https://issues.apache.org/jira/browse/TIKA-3616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457595#comment-17457595 > > > >>> > > > > > > _______________________ > > > Eric Pugh | Founder & CEO | OpenSource Connections, LLC | 434.466.1467 > | > > http://www.opensourceconnections.com < > > http://www.opensourceconnections.com/> | My Free/Busy < > > http://tinyurl.com/eric-cal> > > > Co-Author: Apache Solr Enterprise Search Server, 3rd Ed < > > > https://www.packtpub.com/big-data-and-business-intelligence/apache-solr-enterprise-search-server-third-edition-raw > > > > > > This e-mail and all contents, including attachments, is considered to > be > > Company Confidential unless explicitly stated otherwise, regardless of > > whether attachments are marked as such. > > > > > >
