I believe that the primary contributor to logback was highly skeptical that the recent problems could possible affect logback. That isn't a good attitude for security problems.
It isn't just a matter of patch rate. There is also the question of community size. Is logback effectively a one-man show? On Tue, Jan 18, 2022 at 3:25 PM Christopher <ctubb...@apache.org> wrote: > While it has had recent activity, it is notable that logback only recently > became active again for patches to the stable 1.2 releases. After several > releases in early 2017, it did not have a stable release for over four > years between 31-Mar-2017 (v1.2.3) and 19-Jul-2021 (v1.2.4). > > On Tue, Jan 18, 2022 at 6:20 PM Christopher <ctubb...@apache.org> wrote: > > > Yes. It looks like logback is still actively being developed. 1.2 had a > > release in December. The 1.3 line is still alpha and has also seen recent > > releases (interestingly, it requires at least Java 9 to build, but will > run > > on Java 8, which is similar to what I had recommended for ZK in a > different > > thread). 1.2 only requires Java 1.6 or later. Since it's still receiving > > patches, and it's not alpha, that's probably the best version to use. > > Currently, it seems to be at 1.2.9. > > > > On Tue, Jan 18, 2022 at 2:25 PM Andor Molnar <an...@apache.org> wrote: > > > >> I agree with you completely and this is crucial for logback too, so > >> correct me if I'm wrong. Logback is current and actively maintained. Is > >> that correct? > >> > >> Andor > >> > >> > >> On Tue, 2022-01-18 at 12:43 -0500, Christopher wrote: > >> > I do think these are more good reasons to adopt > >> > something that is current and actively maintained, though, rather > >> > than > >> > something that is old and not active. > >> > >> > >> >