I think we are slowly converging toward the following conclusion (at least this is how I see it).
- We want to make either Log4j2 or Logback as the default log engine. - We would provide some blogpost / documentation / how-to about how to change the default log engine. (even as simple as described here in this comment: https://github.com/apache/zookeeper/pull/1793#pullrequestreview-857545860 , extended with some audit logging example) - Currently we have a good patch for Logback thanks to Andor and to all the reviewers. As I would rather have something out sooner than later, for me the main questions are: (1) is logback good enough, or do we need log4j2? (2) if we need log4j2, then is there anyone who could prepare a patch for it soon? What do you think? Máté On Thu, Jan 20, 2022 at 9:15 AM Andor Molnar <an...@apache.org> wrote: > Thanks for the quick review Chris. > > I agree with the second part of your e-mail completely. I’m not sure > either that the community has given a thumbs-up for logback, but I wanted > to finalize my patch sooner, because I have other duties to take care of. > > I feel like logback is generally acceptable for ZK, but log4j2 would be > more convenient, because most projects will eventually swap for it. > > Andor > > > > > On 2022. Jan 20., at 2:42, Chris Nauroth <cnaur...@apache.org> wrote: > > > > Thank you, Andor. I entered one more round of very minor feedback. > > > > I'm not sure about the licensing changes. I responded on the PR with my > > thoughts, but I'd appreciate a second set of eyes on the licensing in > > particular. > > > > After resolving that feedback, I'll be ready to +1 from a code > perspective, > > but it sounds like the discussion of direction is not necessarily settled > > here. Can others who have raised red flags please clarify the degree of > > their objections? Is anyone actually -1 on a move to Logback? For my > part, > > even though I raised objections, I'm OK proceeding with Logback. I'll > > likely swap it for the Log4J 2 SLF4J back-end in my deployments. (I > > specifically tested this on your branch and confirmed it works.) > > > > Chris Nauroth > > > > > > On Wed, Jan 19, 2022 at 1:46 PM Andor Molnar <an...@apache.org> wrote: > > > >> I’m done with all the changes that I wanted to include in the first > >> logback patch. > >> Most of Chris’ feedback has also been addressed as well as the licensing > >> changes. > >> We have binary distribution which includes the logback jar, so I added > EPL > >> v1.0 > >> to LINCENSE.txt and mentioned Logback in the NOTICE.txt file. Hope all > >> done correctly. > >> > >> Documentation has also been updated according to the new logging > backend. > >> > >> Migration of zookeeper-recipes and zookeeper-contrib projects will come > in > >> the upcoming patch. > >> > >> Andor > >> > >> > >> > >>> On 2022. Jan 19., at 1:45, Ted Dunning <ted.dunn...@gmail.com> wrote: > >>> > >>> I believe that the primary contributor to logback was highly skeptical > >> that > >>> the recent problems could possible affect logback. That isn't a good > >>> attitude for security problems. > >>> > >>> It isn't just a matter of patch rate. There is also the question of > >>> community size. Is logback effectively a one-man show? > >>> > >>> > >>> > >>> On Tue, Jan 18, 2022 at 3:25 PM Christopher <ctubb...@apache.org> > wrote: > >>> > >>>> While it has had recent activity, it is notable that logback only > >> recently > >>>> became active again for patches to the stable 1.2 releases. After > >> several > >>>> releases in early 2017, it did not have a stable release for over four > >>>> years between 31-Mar-2017 (v1.2.3) and 19-Jul-2021 (v1.2.4). > >>>> > >>>> On Tue, Jan 18, 2022 at 6:20 PM Christopher <ctubb...@apache.org> > >> wrote: > >>>> > >>>>> Yes. It looks like logback is still actively being developed. 1.2 > had a > >>>>> release in December. The 1.3 line is still alpha and has also seen > >> recent > >>>>> releases (interestingly, it requires at least Java 9 to build, but > will > >>>> run > >>>>> on Java 8, which is similar to what I had recommended for ZK in a > >>>> different > >>>>> thread). 1.2 only requires Java 1.6 or later. Since it's still > >> receiving > >>>>> patches, and it's not alpha, that's probably the best version to use. > >>>>> Currently, it seems to be at 1.2.9. > >>>>> > >>>>> On Tue, Jan 18, 2022 at 2:25 PM Andor Molnar <an...@apache.org> > wrote: > >>>>> > >>>>>> I agree with you completely and this is crucial for logback too, so > >>>>>> correct me if I'm wrong. Logback is current and actively maintained. > >> Is > >>>>>> that correct? > >>>>>> > >>>>>> Andor > >>>>>> > >>>>>> > >>>>>> On Tue, 2022-01-18 at 12:43 -0500, Christopher wrote: > >>>>>>> I do think these are more good reasons to adopt > >>>>>>> something that is current and actively maintained, though, rather > >>>>>>> than > >>>>>>> something that is old and not active. > >>>>>> > >>>>>> > >>>>>> > >>>> > >> > >> > >