At 06:16 PM 12/1/2004, Jacob Kjome wrote:
"clue train"? What documentation?
The documentation is lacking. Anyway, very few people know to set the RS, it must less than 5 people on the planet. We'll document the null pointer problem so that people don't forget to set the default repository in their custom RS. If they forget, the null pointer will remind them soon enough.
And why shouldn't a developer only need to look at the API? Why should we expect people on the "clue train" to look at every inch of code in a logging API. Ceki, I can see your point to an extent, but sensible and predictable defaults are not, IMO, "side effects". Log4j should be easy to use and shouldn't be able to be used for evil (taking down entire application servers) whether the developer using the API is clueless or a prodogy (doing it with full knowledge out of spite).
If, Sideshow Bob, the evil programmer, intentionally leaves the default repository blank, setting a default repository in LogManger.setRepositotySelector won't help because Sideshow Bob can always write:
class EvilRespotirySelector implements RepositorySelector { LoggerRepository getDefaultRepository() {
// Sideshow Bob finds pleasure in evil deeds:
return null;
}
}Security can be only be guaranteed by setting the guard.
I strongly disagree with your conclusions here and hope you change your mind. At a minimum, I'm satisfied that I've vigorously tried to defend my position.
Indeed you have.
If it doesn't prevail, then I'll drink the coolaide and modify my initialization code to do
something that Log4j should do for me in the first place, but that's life and
open source.
Your position is totally understandable. I hope I could convince you that my opposition is not totally brain dead either.
Jake
-- Ceki G�lc�
The complete log4j manual: http://qos.ch/eclm
Professional log4j support: http://qos.ch/log4jSupport
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
