ppkarwasz commented on issue #3066:
URL:
https://github.com/apache/logging-log4j2/issues/3066#issuecomment-2982130586
@dsvensson,
> New content added to gradle verification metadata (nevermind the _"key
couldn't be downloaded"_, have keyservers disabled and haven't imported the
keys yet):
>
> ...
>
> Is this intended going forward, or wait for patch release?
Yes, the presence of those libraries in the Gradle verification metadata is
**expected** — depending on how you consume Log4j.
### Why These Dependencies Appear
The annotation libraries you listed (BND, ErrorProne, JSpecify, SpotBugs,
and various OSGi annotations) are **intentionally used by Log4j**, but only
useful at **compile time**. To handle this across different build tools:
* In **Maven**, they are declared with the `provided` scope, which is not
inherited by downstream projects.
* However, as explained in #3110, this setup can lead to unwanted compiler
warnings for some users.
* To address that, since version `2.25.0`, Log4j also publishes Gradle
`.module` metadata where these dependencies are marked as `compileOnlyApi`:
* `compileOnly` means they are **not present at runtime**.
* `api` means they are **inherited by consumers**.
See also #3450, which implements this change.
### What You Should Do
* If your application uses the [Log4j
API](https://logging.apache.org/log4j/2.x/manual/api.html), these annotation
libraries might be useful during compilation and will appear in Gradle’s
dependency verification..
* If you **do not** use the Log4j API (e.g., you're using SLF4J as your
logging API), then you don't need those compile-time dependencies at all.
In that case, the cleanest setup is to use `log4j-core` and related
modules with the `runtimeOnly` scope, as recommended in our [Installation
Guide](https://logging.apache.org/log4j/2.x/manual/installation.html):
```groovy
dependencies {
runtimeOnly platform('org.apache.logging.log4j:log4j-bom:2.25.0')
// Logging API
implementation 'org.slf4j:slf4j-api:2.0.17'
// Logging implementation
runtimeOnly 'org.apache.logging.log4j:log4j-slf4j2-impl'
runtimeOnly 'org.apache.logging.log4j:log4j-core'
}
```
This setup avoids including unnecessary compile-time dependencies and
keeps your verification metadata clean.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
