Another approach is the bridge that the logging project just released. https://twitter.com/ted_dunning/status/1487876548384346115?s=20&t=xe0GsxjqJUHyw5LcJc_8DQ
On Sun, Jan 30, 2022 at 1:13 AM Szalay-Bekő Máté <[email protected]> wrote: > Thank you Enrico! > > I like the reload4j idea for all our older, but still active releases. This > is as backward compatible as we can get with solving the security issues. > I think it would be good to do this also on branch-3.5, as this is an > important security fix and I don't think we ever communicated EOL for 3.5 > yet. Actually I'm happy to coordinate a new release on 3.5 after 3.8.0 is > finished. > > We should also clearly communicate on the webpage the default logging > framework versions we ship with our different releases. > > I'm not sure, maybe the PMC members discussed this already, but it would be > also important to come up with some EOL strategy to keep our active > branches low and put it to our webpage. > > Best regards, > Mate > > On Sun, Jan 30, 2022 at 9:11 AM Enrico Olivelli <[email protected]> > wrote: > > > Hello folks, > > We are close to cutting some releases, at least I would like to do so, > > but we should remove log41 from our binary tarballs. > > > > For the next upcoming major release, 3.8.0, we decided to switch to > > Logback, good. > > But the older branches, 3.5, 3.6, 3.7 we should remove log41 > > > > There is an initiative, https://reload4j.qos.ch/, that basically is a > > fork of log4j1 with the security fixes, so it is 100% compatible. > > > > I sent a PR for the branch-3.7, I will do the same at least for 3.6, I > > can do the same for 3.5 if anyone would like to cut a release some day > > (I am not sure) > > > > https://github.com/apache/zookeeper/pull/1802 > > > > If there are any objections please anyone review my patch and we can > > merge it in a few days, just to give time to the community to see this > > message and express their thoughts. > > > > Best regards > > Enrico > > >
