> Please don't revert to the old days where log4net was not > strong named. > This would require all developers (including myself) to build > log4net from source if they wanted to use it from an already > strong named assembly.
I don't think that releasing versions of log4net that are not strongly named is an option we can take. The only question is do we open source the strong name private key or do we keep it private (as we currently do). If we do not make our strong name private key open then users of applications that bind to the log4net strong name cannot build and substitute their own version of the log4net assembly. The only way in which they could would be it the main application is open source and therefore they can rebuild it from source, and therefore change its binding to a different log4net strong name. There needs to be a balance between application author security and user freedoms. At the moment we come down on the side of the application author and do curtail the user's freedom to replace the log4net binary. I believe that this is Microsoft's intention in designing the strong name binding system, especially as they do not allow a binding redirect configuration on the user's machine to redirect from one public key to another (only version may be redirected). It is likely that we will need to discuss this situation with the wider Apache community rather than just the log4net or the other Apache .net projects. Nicko
