I believe that the primary contributor to logback was highly skeptical that
the recent problems could possible affect logback. That isn't a good
attitude for security problems.

It isn't just a matter of patch rate. There is also the question of
community size. Is logback effectively a one-man show?



On Tue, Jan 18, 2022 at 3:25 PM Christopher <ctubb...@apache.org> wrote:

> While it has had recent activity, it is notable that logback only recently
> became active again for patches to the stable 1.2 releases. After several
> releases in early 2017, it did not have a stable release for over four
> years between 31-Mar-2017 (v1.2.3) and  19-Jul-2021 (v1.2.4).
>
> On Tue, Jan 18, 2022 at 6:20 PM Christopher <ctubb...@apache.org> wrote:
>
> > Yes. It looks like logback is still actively being developed. 1.2 had a
> > release in December. The 1.3 line is still alpha and has also seen recent
> > releases (interestingly, it requires at least Java 9 to build, but will
> run
> > on Java 8, which is similar to what I had recommended for ZK in a
> different
> > thread). 1.2 only requires Java 1.6 or later. Since it's still receiving
> > patches, and it's not alpha, that's probably the best version to use.
> > Currently, it seems to be at 1.2.9.
> >
> > On Tue, Jan 18, 2022 at 2:25 PM Andor Molnar <an...@apache.org> wrote:
> >
> >> I agree with you completely and this is crucial for logback too, so
> >> correct me if I'm wrong. Logback is current and actively maintained. Is
> >> that correct?
> >>
> >> Andor
> >>
> >>
> >> On Tue, 2022-01-18 at 12:43 -0500, Christopher wrote:
> >> > I do think these are more good reasons to adopt
> >> > something that is current and actively maintained, though, rather
> >> > than
> >> > something that is old and not active.
> >>
> >>
> >>
>

Reply via email to