FreeAndNil commented on issue #292: URL: https://github.com/apache/logging-log4net/issues/292#issuecomment-4329261890
Hi Stefan, Thanks for the thoughtful write-up. **a)** Noted - and not entirely wrong. But as you say, let's not go down that path here. **b)** The double-checked locking approach you are proposing looks promising. The fast path stays lock-free via `TryGetValue`, and the lock is only taken on first creation - which is exactly the right trade-off. We will evaluate this and work on it. For some background: the switch from `Hashtable` to `ConcurrentDictionary` for the loggers collection was introduced in #126. The intent was sound - `Hashtable` was clearly no longer the right way to hold that data - but as your bug demonstrates, `ConcurrentDictionary` alone is not sufficient when the value needs to be initialized atomically. **c)** A 2.x release with the vulnerability fix is unfortunately not something we can provide. The 2.x line still targets legacy frameworks including .NET Compact Framework, and we no longer have any environment where we could build, test, or validate changes against those targets. Shipping a fix we cannot test would be irresponsible, so 2.x will not receive this fix. For most users, migrating to 3.x should be straightforward - outside of dropping support for those legacy frameworks, there are very few breaking changes. If you are on a modern framework, the upgrade path should be smooth. Thanks again for the detailed investigation and the concrete proposal. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
