Re: [VOTE] Release Apache Log4j 3.0.0-beta1

[Piotr P. Karwasz]

Hi Gary,

On Thu, 14 Dec 2023 at 21:39, Gary Gregory  wrote:
> If you write "Please don't release this.", then you should vote -1. Or am I
> missing something?

You are right. I am voting -1, because of the `*-test-sources.jar`
artifacts in the Maven repository.

Reproducibility is not an issue, we just need to use the Git tag
instead of the source archive.

Piotr

[log4j] Revamping Log4j website & manual structure

[Volkan Yazıcı]

*TLDR:* Log4j website & manual structure (i.e., sectioning) will be
changed. Please reply for feedback and/or support.

As a part of the planned Log4j website & manual revamp
, I ask
for your feedback on the structure Christian, Piotr, and I had worked out
earlier:
https://docs.google.com/document/d/10Fu7oqDzdM_D6LbexzwX9arh51Tic7AGvkWTQrL6jjQ
PMC
members have editor rights to the document, the rest can only view.
Ideally, first the discussion should take place here rather than directly
updating the document.

Please take into account that this discussion is only about the structural
organization. It is **not** about tooling (Markdown, AsciiDoc, Antora,
Maven, etc.), which repository/repositories to store the sources, or URLs.

Re: [VOTE] Release Apache Log4j 3.0.0-beta1

[Volkan Yazıcı]

I am cancelling this vote. I may try to issue an RC2 this week if time
allows. If you think that is inconvenient due to upcoming xmas, and/or you
want to issue the RC2 yourself, please let me know.

On Wed, Dec 13, 2023 at 4:26 PM Volkan Yazıcı  wrote:

> This is a vote to release the Apache Log4j 3.0.0-beta1.
>
> Website: https://logging.staged.apache.org/log4j
> GitHub: https://github.com/apache/logging-log4j2
> Commit: c5dbdcfeb0216e1e3e333436e9b4d04cc3b8e6fd
> Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j
> Nexus:
> https://repository.apache.org/content/repositories/orgapachelogging-1246
> Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0
>
> Please download, test, and cast your votes on this mailing list.
>
> [ ] +1, release the artifacts
> [ ] -1, don't release, because...
>
> This vote is open for 72 hours and will pass unless getting a
> net negative vote count. All votes are welcome and we encourage
> everyone to test the release, but only the Logging Services PMC
> votes are officially counted.
>
> == Review Kit
>
> The minimum set of steps needed to review the uploaded distribution
> files in the Subversion repository can be summarized as follows:
>
> # Check out the distribution
> svn co https://dist.apache.org/repos/... && cd $_
>
> # Verify checksums
> shasum --check *.sha512
>
> # Verify signatures
> wget -O - https://downloads.apache.org/logging/KEYS | gpg --import
> for sigFile in *.asc; do gpg --verify $sigFile; done
>
> # Verify reproduciblity
> umask 0022
> unzip *-src.zip -d src
> cd src
> export NEXUS_REPO=https://repository.apache.org/content/...
> sh mvnw -Prelease \
> verify artifact:compare \
> -Dreference.repo=$NEXUS_REPO \
> -Dcyclonedx.skip
>
> Some SBOM discrepancy is causing reproducibility mismatch, hence the
> `-Dcyclonedx.skip`. Since `2.x` and `main` are greatly diverged, I couldn't
> figure out the missing piece yet.
>
> == Release Notes
>
> This is the first beta release of the upcoming major release, i.e.,
> `3.0.0`.
>
> === Added
>
> * Add annotations for nullability. (LOG4J2-1477)
> * Remove deprecated code. (LOG4J2-2493)
> * Add a more generalized dependency injection system to plugins inspired
> by JSR 330. (LOG4J2-2803)
> * Add and enhance structured properties for per-context settings outside
> configuration files. (1473)
> * Automate artifact publishing and release preparation. (LOG4J2-3466)
> * Add support for dependency injection of plugins into container types
> such as `Optional`, `Collection`, `Set`, `Stream`, `List`,
> and `Map`. (LOG4J2-3496)
> * Add support for `ConstraintValidator` in plugin classes. (LOG4J2-3497)
>
> === Changed
>
> * Remove liquibase-log4j2 maven module (#1193)
> * Make the output of annotation processing reproducible. (#1520)
> * Replace `synchronized` blocks with locks for improved performance with
> virtual threads. (#1532)
> * Removes additional `isFiltered` checks in `AsyncLoggerConfig`. (#1550)
> * Ignore exceptions thrown by PropertySources. Eliminate
> ClassCastException when SimpleLoggerContext is used.
> (spring-projects/spring-boot#33450, #1799)
> * Update `com.lmax:disruptor` to version `4.0.0` (#1829)
> * Migrate most tests to JUnit 5. This includes a more powerful set of test
> extensions. (LOG4J2-2653)
> * Make Log4j use its own BOM. (LOG4J2-3511)
> * Change encoding of HTTP Basic Authentication to UTF-8. (#1970)
> * Upgraded the required compiler version to Java 17
> * Upgraded the required runtime version to Java 17
> * Update `actions/checkout` to version `4.1.1` (#1869)
> * Update `actions/setup-java` to version `3.13.0` (#1809)
> * Update `actions/setup-python` to version `4.7.1` (#1831)
> * Update `ch.qos.logback:logback-classic` to version `1.4.14` (#2028)
> * Update `com.datastax.cassandra:cassandra-driver-core` to version
> `3.11.5` (#1889)
> * Update `com.fasterxml.jackson:jackson-bom` to version `2.16.0` (#1974)
> * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2032)
> * Update `com.github.spotbugs:spotbugs-maven-plugin` to version `4.7.3.6`
> (#1879)
> * Update `com.github.tomakehurst:wiremock-jre8` to version `2.35.1` (#1765)
> * Update `com.google.errorprone:error_prone_core` to version `2.23.0`
> (#1871)
> * Update `com.google.guava:guava-testlib` to version `32.1.3-jre` (#1934)
> * Update `com.h2database:h2` to version `2.2.224` (#1917)
> * Update `commons-codec:commons-codec` to version `1.16.0` (#2054)
> * Update `commons-io:commons-io` to version `2.15.1` (#2035)
> * Update `commons-logging:commons-logging` to version `1.3.0` (#2046)
> * Update `de.flapdoodle.reverse:de.flapdoodle.reverse` to version `1.7.2`
> (#2000)
> * Update `io.netty:netty-bom` to version `4.1.101.Final` (#1999)
> * Update `net.java.dev.jna:jna` to version `5.14.0` (#2082)
> * Update `org.apache.aries.spifly:org.apache.aries.spifly.dynamic.bundle`
> to version `1.3.7` (#2053)
> * Update `org.apache.commons:commons-c

Re: [log4j] Revamping Log4j website & manual structure

[Gary Gregory]

Hi all,

Thank you V for putting this together.

>From a high level, I don't like that the proposal is split into a website
and a manual. The material should be the same and obviously optionally
differently as a site vs a manual. For example, why is the tutorial
excluded from the manual? Anyway, this might all be quicker to discuss in a
meeting.

Maybe the proposal refers to the current state of things?

The text refers to 3 major versions being widely used, obviously only 2 are
in play ATM.

Gary

On Tue, Dec 19, 2023, 5:03 AM Volkan Yazıcı  wrote:

> *TLDR:* Log4j website & manual structure (i.e., sectioning) will be
> changed. Please reply for feedback and/or support.
>
> As a part of the planned Log4j website & manual revamp
> , I ask
> for your feedback on the structure Christian, Piotr, and I had worked out
> earlier:
>
> https://docs.google.com/document/d/10Fu7oqDzdM_D6LbexzwX9arh51Tic7AGvkWTQrL6jjQ
> PMC
> members have editor rights to the document, the rest can only view.
> Ideally, first the discussion should take place here rather than directly
> updating the document.
>
> Please take into account that this discussion is only about the structural
> organization. It is **not** about tooling (Markdown, AsciiDoc, Antora,
> Maven, etc.), which repository/repositories to store the sources, or URLs.
>

Re: [VOTE] Release Apache Log4j 3.0.0-beta1

[Gary Gregory]

Hi all,

Do note that building from sources, not git, is an Apache requirement. IIRC
reproducibility is a nice-to-have for Apache, but are we making this a
Logging or Log4J requirement? So a review should not be based on a git tag
IMO, it should be based on downloading the src zip or tar and building from
that, which is what a Linux distribution that builds everything from first
principles would do.

Gary

On Tue, Dec 19, 2023, 3:31 AM Piotr P. Karwasz 
wrote:

> Hi Gary,
>
> On Thu, 14 Dec 2023 at 21:39, Gary Gregory  wrote:
> > If you write "Please don't release this.", then you should vote -1. Or
> am I
> > missing something?
>
> You are right. I am voting -1, because of the `*-test-sources.jar`
> artifacts in the Maven repository.
>
> Reproducibility is not an issue, we just need to use the Git tag
> instead of the source archive.
>
> Piotr
>

Re: [VOTE] Release Apache Log4j 3.0.0-beta1

[Christian Grobmeier]

Hi Volkan

On Tue, Dec 19, 2023, at 13:43, Volkan Yazıcı wrote:
> I am cancelling this vote. I may try to issue an RC2 this week if time
> allows. If you think that is inconvenient due to upcoming xmas, and/or you
> want to issue the RC2 yourself, please let me know.

please don't cut an RC2 this week. This vote took 6 days and some nitpicks. I 
am afraid it might be open over christmas. Apart from that, I know how tight 
your schedule is, so you may take it as a relief to not cut another one :)

Thanks for your hard work!


>
> On Wed, Dec 13, 2023 at 4:26 PM Volkan Yazıcı  wrote:
>
>> This is a vote to release the Apache Log4j 3.0.0-beta1.
>>
>> Website: https://logging.staged.apache.org/log4j
>> GitHub: https://github.com/apache/logging-log4j2
>> Commit: c5dbdcfeb0216e1e3e333436e9b4d04cc3b8e6fd
>> Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j
>> Nexus:
>> https://repository.apache.org/content/repositories/orgapachelogging-1246
>> Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0
>>
>> Please download, test, and cast your votes on this mailing list.
>>
>> [ ] +1, release the artifacts
>> [ ] -1, don't release, because...
>>
>> This vote is open for 72 hours and will pass unless getting a
>> net negative vote count. All votes are welcome and we encourage
>> everyone to test the release, but only the Logging Services PMC
>> votes are officially counted.
>>
>> == Review Kit
>>
>> The minimum set of steps needed to review the uploaded distribution
>> files in the Subversion repository can be summarized as follows:
>>
>> # Check out the distribution
>> svn co https://dist.apache.org/repos/... && cd $_
>>
>> # Verify checksums
>> shasum --check *.sha512
>>
>> # Verify signatures
>> wget -O - https://downloads.apache.org/logging/KEYS | gpg --import
>> for sigFile in *.asc; do gpg --verify $sigFile; done
>>
>> # Verify reproduciblity
>> umask 0022
>> unzip *-src.zip -d src
>> cd src
>> export NEXUS_REPO=https://repository.apache.org/content/...
>> sh mvnw -Prelease \
>> verify artifact:compare \
>> -Dreference.repo=$NEXUS_REPO \
>> -Dcyclonedx.skip
>>
>> Some SBOM discrepancy is causing reproducibility mismatch, hence the
>> `-Dcyclonedx.skip`. Since `2.x` and `main` are greatly diverged, I couldn't
>> figure out the missing piece yet.
>>
>> == Release Notes
>>
>> This is the first beta release of the upcoming major release, i.e.,
>> `3.0.0`.
>>
>> === Added
>>
>> * Add annotations for nullability. (LOG4J2-1477)
>> * Remove deprecated code. (LOG4J2-2493)
>> * Add a more generalized dependency injection system to plugins inspired
>> by JSR 330. (LOG4J2-2803)
>> * Add and enhance structured properties for per-context settings outside
>> configuration files. (1473)
>> * Automate artifact publishing and release preparation. (LOG4J2-3466)
>> * Add support for dependency injection of plugins into container types
>> such as `Optional`, `Collection`, `Set`, `Stream`, `List`,
>> and `Map`. (LOG4J2-3496)
>> * Add support for `ConstraintValidator` in plugin classes. (LOG4J2-3497)
>>
>> === Changed
>>
>> * Remove liquibase-log4j2 maven module (#1193)
>> * Make the output of annotation processing reproducible. (#1520)
>> * Replace `synchronized` blocks with locks for improved performance with
>> virtual threads. (#1532)
>> * Removes additional `isFiltered` checks in `AsyncLoggerConfig`. (#1550)
>> * Ignore exceptions thrown by PropertySources. Eliminate
>> ClassCastException when SimpleLoggerContext is used.
>> (spring-projects/spring-boot#33450, #1799)
>> * Update `com.lmax:disruptor` to version `4.0.0` (#1829)
>> * Migrate most tests to JUnit 5. This includes a more powerful set of test
>> extensions. (LOG4J2-2653)
>> * Make Log4j use its own BOM. (LOG4J2-3511)
>> * Change encoding of HTTP Basic Authentication to UTF-8. (#1970)
>> * Upgraded the required compiler version to Java 17
>> * Upgraded the required runtime version to Java 17
>> * Update `actions/checkout` to version `4.1.1` (#1869)
>> * Update `actions/setup-java` to version `3.13.0` (#1809)
>> * Update `actions/setup-python` to version `4.7.1` (#1831)
>> * Update `ch.qos.logback:logback-classic` to version `1.4.14` (#2028)
>> * Update `com.datastax.cassandra:cassandra-driver-core` to version
>> `3.11.5` (#1889)
>> * Update `com.fasterxml.jackson:jackson-bom` to version `2.16.0` (#1974)
>> * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2032)
>> * Update `com.github.spotbugs:spotbugs-maven-plugin` to version `4.7.3.6`
>> (#1879)
>> * Update `com.github.tomakehurst:wiremock-jre8` to version `2.35.1` (#1765)
>> * Update `com.google.errorprone:error_prone_core` to version `2.23.0`
>> (#1871)
>> * Update `com.google.guava:guava-testlib` to version `32.1.3-jre` (#1934)
>> * Update `com.h2database:h2` to version `2.2.224` (#1917)
>> * Update `commons-codec:commons-codec` to version `1.16.0` (#2054)
>> * Update `commons-io:commons-io` to version `2.15.1` (

Re: [VOTE] Release Apache Log4j 3.0.0-beta1

[Piotr P. Karwasz]

Hi Gary,

On Tue, 19 Dec 2023 at 14:05, Gary Gregory  wrote:
> Do note that building from sources, not git, is an Apache requirement. IIRC
> reproducibility is a nice-to-have for Apache, but are we making this a
> Logging or Log4J requirement?

Reproducibility is a requirement from the Apache Security team to
allow publishing CI-generated artifacts. Since we don't own the
machine that generates the artifacts, we must check the results it
gives us.

Of course I am taking reproducibility to an extreme: nobody (even
`jvm-repo-rebuild/reproducible-central`) cares if Javadoc or source
JARs are reproducible. And this is the case of 3.0.0-beta1 RC1: the
`test-sources.jar` files are not reproducible, while the rest is.

Piotr

Re: [VOTE] Release Apache Log4j 3.0.0-beta1

[Ralph Goers]

Christian,

The vote has been open for 6 days because we were under the impression the vote 
was going be cancelled based on Piotr’s feedback. I can commit to having the 
review done in 72 hrs if the release is cut today or tomorrow. This slow down 
for me at work this time of the year so between now and New Years Day is a 
great time to get stuff done.

Ralph

> On Dec 19, 2023, at 6:12 AM, Christian Grobmeier  wrote:
> 
> Hi Volkan
> 
> On Tue, Dec 19, 2023, at 13:43, Volkan Yazıcı wrote:
>> I am cancelling this vote. I may try to issue an RC2 this week if time
>> allows. If you think that is inconvenient due to upcoming xmas, and/or you
>> want to issue the RC2 yourself, please let me know.
> 
> please don't cut an RC2 this week. This vote took 6 days and some nitpicks. I 
> am afraid it might be open over christmas. Apart from that, I know how tight 
> your schedule is, so you may take it as a relief to not cut another one :)
> 
> Thanks for your hard work!
> 
> 
>> 
>> On Wed, Dec 13, 2023 at 4:26 PM Volkan Yazıcı  wrote:
>> 
>>> This is a vote to release the Apache Log4j 3.0.0-beta1.
>>> 
>>> Website: https://logging.staged.apache.org/log4j
>>> GitHub: https://github.com/apache/logging-log4j2
>>> Commit: c5dbdcfeb0216e1e3e333436e9b4d04cc3b8e6fd
>>> Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j
>>> Nexus:
>>> https://repository.apache.org/content/repositories/orgapachelogging-1246
>>> Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0
>>> 
>>> Please download, test, and cast your votes on this mailing list.
>>> 
>>> [ ] +1, release the artifacts
>>> [ ] -1, don't release, because...
>>> 
>>> This vote is open for 72 hours and will pass unless getting a
>>> net negative vote count. All votes are welcome and we encourage
>>> everyone to test the release, but only the Logging Services PMC
>>> votes are officially counted.
>>> 
>>> == Review Kit
>>> 
>>> The minimum set of steps needed to review the uploaded distribution
>>> files in the Subversion repository can be summarized as follows:
>>> 
>>># Check out the distribution
>>>svn co https://dist.apache.org/repos/... && cd $_
>>> 
>>># Verify checksums
>>>shasum --check *.sha512
>>> 
>>># Verify signatures
>>>wget -O - https://downloads.apache.org/logging/KEYS | gpg --import
>>>for sigFile in *.asc; do gpg --verify $sigFile; done
>>> 
>>># Verify reproduciblity
>>>umask 0022
>>>unzip *-src.zip -d src
>>>cd src
>>>export NEXUS_REPO=https://repository.apache.org/content/...
>>>sh mvnw -Prelease \
>>>verify artifact:compare \
>>>-Dreference.repo=$NEXUS_REPO \
>>>-Dcyclonedx.skip
>>> 
>>> Some SBOM discrepancy is causing reproducibility mismatch, hence the
>>> `-Dcyclonedx.skip`. Since `2.x` and `main` are greatly diverged, I couldn't
>>> figure out the missing piece yet.
>>> 
>>> == Release Notes
>>> 
>>> This is the first beta release of the upcoming major release, i.e.,
>>> `3.0.0`.
>>> 
>>> === Added
>>> 
>>> * Add annotations for nullability. (LOG4J2-1477)
>>> * Remove deprecated code. (LOG4J2-2493)
>>> * Add a more generalized dependency injection system to plugins inspired
>>> by JSR 330. (LOG4J2-2803)
>>> * Add and enhance structured properties for per-context settings outside
>>> configuration files. (1473)
>>> * Automate artifact publishing and release preparation. (LOG4J2-3466)
>>> * Add support for dependency injection of plugins into container types
>>> such as `Optional`, `Collection`, `Set`, `Stream`, `List`,
>>> and `Map`. (LOG4J2-3496)
>>> * Add support for `ConstraintValidator` in plugin classes. (LOG4J2-3497)
>>> 
>>> === Changed
>>> 
>>> * Remove liquibase-log4j2 maven module (#1193)
>>> * Make the output of annotation processing reproducible. (#1520)
>>> * Replace `synchronized` blocks with locks for improved performance with
>>> virtual threads. (#1532)
>>> * Removes additional `isFiltered` checks in `AsyncLoggerConfig`. (#1550)
>>> * Ignore exceptions thrown by PropertySources. Eliminate
>>> ClassCastException when SimpleLoggerContext is used.
>>> (spring-projects/spring-boot#33450, #1799)
>>> * Update `com.lmax:disruptor` to version `4.0.0` (#1829)
>>> * Migrate most tests to JUnit 5. This includes a more powerful set of test
>>> extensions. (LOG4J2-2653)
>>> * Make Log4j use its own BOM. (LOG4J2-3511)
>>> * Change encoding of HTTP Basic Authentication to UTF-8. (#1970)
>>> * Upgraded the required compiler version to Java 17
>>> * Upgraded the required runtime version to Java 17
>>> * Update `actions/checkout` to version `4.1.1` (#1869)
>>> * Update `actions/setup-java` to version `3.13.0` (#1809)
>>> * Update `actions/setup-python` to version `4.7.1` (#1831)
>>> * Update `ch.qos.logback:logback-classic` to version `1.4.14` (#2028)
>>> * Update `com.datastax.cassandra:cassandra-driver-core` to version
>>> `3.11.5` (#1889)
>>> * Update `com.fasterxml.jackson:jackson-bom` to version `2.16.0` (#1974)
>>> * Update `com.github.luben:zstd-j

Re: [log4j] Revamping Log4j website & manual structure

[Volkan Yazıcı]

*[We can indeed discuss this further in the video call.]*

If I am not mistaken, you were a big fan of PostgreSQL's website – correct
me if I am wrong. The current structure is pretty much analogous to what
they have: a set of common pages (about, support, tutorials, etc.) and
major-version-specific manuals.

We deliberately moved certain tutorials/resources/guidance (How to log
against the Log4j API? Your first `log4j2.xml`. What is Log4j, SLF4J,
etc.?) to the top level, since that is what 90% of the users look for and
their content applies to every release without almost any changes. These
high level intros will contain links to the relevant manual sections
containing elaborate explanations.

As a matter of fact, this is what PostgreSQL does too. They have tutorials at
the root level  and at
the manual level . Though
I doubt if the area we need to cover in a tutorial is as big as what
PostgreSQL needs to cover. That is, once you get an idea of appenders,
layouts, loggers, filters, etc. you are good to go. OTOH, the PostgreSQL
tutorial tries to teach you an entire SQL standard.

As I also tried to hint in the proposal document, I am in favor of starting
small and extending as need arises.

On Tue, Dec 19, 2023 at 1:54 PM Gary Gregory  wrote:

> Hi all,
>
> Thank you V for putting this together.
>
> From a high level, I don't like that the proposal is split into a website
> and a manual. The material should be the same and obviously optionally
> differently as a site vs a manual. For example, why is the tutorial
> excluded from the manual? Anyway, this might all be quicker to discuss in a
> meeting.
>
> Maybe the proposal refers to the current state of things?
>
> The text refers to 3 major versions being widely used, obviously only 2 are
> in play ATM.
>
> Gary
>
> On Tue, Dec 19, 2023, 5:03 AM Volkan Yazıcı  wrote:
>
> > *TLDR:* Log4j website & manual structure (i.e., sectioning) will be
> > changed. Please reply for feedback and/or support.
> >
> > As a part of the planned Log4j website & manual revamp
> > , I
> ask
> > for your feedback on the structure Christian, Piotr, and I had worked out
> > earlier:
> >
> >
> https://docs.google.com/document/d/10Fu7oqDzdM_D6LbexzwX9arh51Tic7AGvkWTQrL6jjQ
> > PMC
> > members have editor rights to the document, the rest can only view.
> > Ideally, first the discussion should take place here rather than directly
> > updating the document.
> >
> > Please take into account that this discussion is only about the
> structural
> > organization. It is **not** about tooling (Markdown, AsciiDoc, Antora,
> > Maven, etc.), which repository/repositories to store the sources, or
> URLs.
> >
>

Re: [VOTE] Release Apache Log4j 3.0.0-beta1

[Christian Grobmeier]

Hi Ralph

On Tue, Dec 19, 2023, at 16:20, Ralph Goers wrote:
> The vote has been open for 6 days because we were under the impression 
> the vote was going be cancelled based on Piotr’s feedback. I can commit 
> to having the review done in 72 hrs if the release is cut today or 
> tomorrow. This slow down for me at work this time of the year so 
> between now and New Years Day is a great time to get stuff done.

Volkan must decide, but I assume some of us will be out of the office starting 
this Saturday, and I wonder if he will find the time to cut one (I know what he 
has left on his plate).

Could you help out as a release manager in case he can't?
Generally, spreading the knowledge of releasing using the new toy is a good 
idea.

Christian

> Ralph
>
>> On Dec 19, 2023, at 6:12 AM, Christian Grobmeier  
>> wrote:
>> 
>> Hi Volkan
>> 
>> On Tue, Dec 19, 2023, at 13:43, Volkan Yazıcı wrote:
>>> I am cancelling this vote. I may try to issue an RC2 this week if time
>>> allows. If you think that is inconvenient due to upcoming xmas, and/or you
>>> want to issue the RC2 yourself, please let me know.
>> 
>> please don't cut an RC2 this week. This vote took 6 days and some nitpicks. 
>> I am afraid it might be open over christmas. Apart from that, I know how 
>> tight your schedule is, so you may take it as a relief to not cut another 
>> one :)
>> 
>> Thanks for your hard work!
>> 
>> 
>>> 
>>> On Wed, Dec 13, 2023 at 4:26 PM Volkan Yazıcı  wrote:
>>> 
 This is a vote to release the Apache Log4j 3.0.0-beta1.
 
 Website: https://logging.staged.apache.org/log4j
 GitHub: https://github.com/apache/logging-log4j2
 Commit: c5dbdcfeb0216e1e3e333436e9b4d04cc3b8e6fd
 Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j
 Nexus:
 https://repository.apache.org/content/repositories/orgapachelogging-1246
 Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0
 
 Please download, test, and cast your votes on this mailing list.
 
 [ ] +1, release the artifacts
 [ ] -1, don't release, because...
 
 This vote is open for 72 hours and will pass unless getting a
 net negative vote count. All votes are welcome and we encourage
 everyone to test the release, but only the Logging Services PMC
 votes are officially counted.
 
 == Review Kit
 
 The minimum set of steps needed to review the uploaded distribution
 files in the Subversion repository can be summarized as follows:
 
# Check out the distribution
svn co https://dist.apache.org/repos/... && cd $_
 
# Verify checksums
shasum --check *.sha512
 
# Verify signatures
wget -O - https://downloads.apache.org/logging/KEYS | gpg --import
for sigFile in *.asc; do gpg --verify $sigFile; done
 
# Verify reproduciblity
umask 0022
unzip *-src.zip -d src
cd src
export NEXUS_REPO=https://repository.apache.org/content/...
sh mvnw -Prelease \
verify artifact:compare \
-Dreference.repo=$NEXUS_REPO \
-Dcyclonedx.skip
 
 Some SBOM discrepancy is causing reproducibility mismatch, hence the
 `-Dcyclonedx.skip`. Since `2.x` and `main` are greatly diverged, I couldn't
 figure out the missing piece yet.
 
 == Release Notes
 
 This is the first beta release of the upcoming major release, i.e.,
 `3.0.0`.
 
 === Added
 
 * Add annotations for nullability. (LOG4J2-1477)
 * Remove deprecated code. (LOG4J2-2493)
 * Add a more generalized dependency injection system to plugins inspired
 by JSR 330. (LOG4J2-2803)
 * Add and enhance structured properties for per-context settings outside
 configuration files. (1473)
 * Automate artifact publishing and release preparation. (LOG4J2-3466)
 * Add support for dependency injection of plugins into container types
 such as `Optional`, `Collection`, `Set`, `Stream`, `List`,
 and `Map`. (LOG4J2-3496)
 * Add support for `ConstraintValidator` in plugin classes. (LOG4J2-3497)
 
 === Changed
 
 * Remove liquibase-log4j2 maven module (#1193)
 * Make the output of annotation processing reproducible. (#1520)
 * Replace `synchronized` blocks with locks for improved performance with
 virtual threads. (#1532)
 * Removes additional `isFiltered` checks in `AsyncLoggerConfig`. (#1550)
 * Ignore exceptions thrown by PropertySources. Eliminate
 ClassCastException when SimpleLoggerContext is used.
 (spring-projects/spring-boot#33450, #1799)
 * Update `com.lmax:disruptor` to version `4.0.0` (#1829)
 * Migrate most tests to JUnit 5. This includes a more powerful set of test
 extensions. (LOG4J2-2653)
 * Make Log4j use its own BOM. (LOG4J2-3511)
 * Change encoding of HTTP Basic Authentication to UTF-8. (#1970)
 * Upgraded the required compiler version to Java 17
 * 

[VOTE] Release Apache Log4j 3.0.0-beta1 (RC2)

[Volkan Yazıcı]

This is a vote to release the Apache Log4j 3.0.0-beta1 RC2.

Website: https://logging.staged.apache.org/log4j/3.x
GitHub: https://github.com/apache/logging-log4j2
Commit: 416cd4dcf419b59c88054d2001d34c7fec010560
Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j
Nexus: https://repository.apache.org/content/repositories/orgapachelogging-1252
Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0

Please download, test, and cast your votes on this mailing list.

[ ] +1, release the artifacts
[ ] -1, don't release, because...

This vote is open for 72 hours and will pass unless getting a
net negative vote count. All votes are welcome and we encourage
everyone to test the release, but only the Logging Services PMC
votes are officially counted.

PLEASE USE THIS THREAD ONLY FOR VOTING +1 OR -1. IF YOU HAVE THOUGHTS,
CONCERNS, QUESTIONS, ETC. SHARE THEM ELSEWHERE. THIS IS A BETA
RELEASE. WE INTEND TO HAVE SEVERAL OTHER BETA RELEASES. THIS IS NOT
THE CONCLUSIVE `3.0.0` RELEASE.

== Review Kit

The minimum set of steps needed to review the uploaded distribution
files in the Subversion repository can be summarized as follows:

# Check out the distribution
svn co https://dist.apache.org/repos/... && cd $_

# Verify checksums
shasum --check *.sha512

# Verify signatures
wget -O - https://downloads.apache.org/logging/KEYS | gpg --import
for sigFile in *.asc; do gpg --verify $sigFile; done

# Verify reproduciblity
umask 0022
unzip *-src.zip -d src
cd src
export NEXUS_REPO=https://repository.apache.org/content/...
sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO

== Release Notes

This is the first beta release of the upcoming major release, i.e., `3.0.0`.

=== Added

* Add annotations for nullability. (LOG4J2-1477)
* Remove deprecated code. (LOG4J2-2493)
* Add a more generalized dependency injection system to plugins
inspired by JSR 330. (LOG4J2-2803)
* Add and enhance structured properties for per-context settings
outside configuration files. (LOG4J2-3299[LOG4J2-3299], #1473)
* Automate artifact publishing and release preparation. (LOG4J2-3466)
* Add support for dependency injection of plugins into container types
such as `Optional`, `Collection`, `Set`, `Stream`,
`List`, and `Map`. (LOG4J2-3496)
* Add support for `ConstraintValidator` in plugin classes. (LOG4J2-3497)

=== Changed

* Remove liquibase-log4j2 maven module (#1193)
* Make the output of annotation processing reproducible. (#1520)
* Replace `synchronized` blocks with locks for improved performance
with virtual threads. (#1532)
* Removes additional `isFiltered` checks in `AsyncLoggerConfig`. (#1550)
* Ignore exceptions thrown by PropertySources. Eliminate
ClassCastException when SimpleLoggerContext is used.
(spring-projects/spring-boot#33450, #1799)
* Update `com.lmax:disruptor` to version `4.0.0` (#1829)
* Migrate most tests to JUnit 5. This includes a more powerful set of
test extensions. (LOG4J2-2653)
* Make Log4j use its own BOM. (LOG4J2-3511)
* Change encoding of HTTP Basic Authentication to UTF-8. (#1970)
* Upgraded the required compiler version to Java 17
* Upgraded the required runtime version to Java 17
* Update `actions/checkout` to version `4.1.1` (#1869)
* Update `actions/setup-java` to version `3.13.0` (#1809)
* Update `actions/setup-python` to version `4.7.1` (#1831)
* Update `ch.qos.logback:logback-classic` to version `1.4.14` (#2028)
* Update `com.datastax.cassandra:cassandra-driver-core` to version
`3.11.5` (#1889)
* Update `com.fasterxml.jackson:jackson-bom` to version `2.16.0` (#1974)
* Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2032)
* Update `com.github.spotbugs:spotbugs-maven-plugin` to version
`4.7.3.6` (#1879)
* Update `com.github.tomakehurst:wiremock-jre8` to version `2.35.1` (#1765)
* Update 
`com.google.code.java-allocation-instrumenter:java-allocation-instrumenter`
to version `3.3.4` (#2102)
* Update `com.google.errorprone:error_prone_core` to version `2.23.0` (#1871)
* Update `com.google.guava:guava-testlib` to version `32.1.3-jre` (#1934)
* Update `com.h2database:h2` to version `2.2.224` (#1917)
* Update `commons-codec:commons-codec` to version `1.16.0` (#2054)
* Update `commons-io:commons-io` to version `2.15.1` (#2035)
* Update `commons-logging:commons-logging` to version `1.3.0` (#2046)
* Update `de.flapdoodle.reverse:de.flapdoodle.reverse` to version
`1.7.2` (#2000)
* Update `io.netty:netty-bom` to version `4.1.104.Final` (#2097)
* Update `net.java.dev.jna:jna` to version `5.14.0` (#2082)
* Update `org.apache.aries.spifly:org.apache.aries.spifly.dynamic.bundle`
to version `1.3.7` (#2053)
* Update `org.apache.commons:commons-compress` to version `1.25.0` (#2055)
* Update `org.apache.commons:commons-csv` to version `1.10.0` (#2041)
* Update `org.apache.commons:commons-dbcp2` to version `2.11.0` (#2044)
* Update `org.apache.commons:commons-lang3` to version `3.14.0` (#2036)
* Update `org.apache.commons:commons-pool2` to ver

Re: [VOTE] Release Apache Log4j 3.0.0-beta1

[Christian Grobmeier]

Hi

On Tue, Dec 19, 2023, at 21:14, Christian Grobmeier wrote:
> Hi Ralph
>
> On Tue, Dec 19, 2023, at 16:20, Ralph Goers wrote:
>> The vote has been open for 6 days because we were under the impression 
>> the vote was going be cancelled based on Piotr’s feedback. I can commit 
>> to having the review done in 72 hrs if the release is cut today or 
>> tomorrow. This slow down for me at work this time of the year so 
>> between now and New Years Day is a great time to get stuff done.
>
> Volkan must decide, but I assume some of us will be out of the office 
> starting this Saturday, and I wonder if he will find the time to cut 
> one (I know what he has left on his plate).
>
> Could you help out as a release manager in case he can't?
> Generally, spreading the knowledge of releasing using the new toy is a 
> good idea.

Disregarding my last message, Volkan found the time it seems.


>
> Christian
>
>> Ralph
>>
>>> On Dec 19, 2023, at 6:12 AM, Christian Grobmeier  
>>> wrote:
>>> 
>>> Hi Volkan
>>> 
>>> On Tue, Dec 19, 2023, at 13:43, Volkan Yazıcı wrote:
 I am cancelling this vote. I may try to issue an RC2 this week if time
 allows. If you think that is inconvenient due to upcoming xmas, and/or you
 want to issue the RC2 yourself, please let me know.
>>> 
>>> please don't cut an RC2 this week. This vote took 6 days and some nitpicks. 
>>> I am afraid it might be open over christmas. Apart from that, I know how 
>>> tight your schedule is, so you may take it as a relief to not cut another 
>>> one :)
>>> 
>>> Thanks for your hard work!
>>> 
>>> 
 
 On Wed, Dec 13, 2023 at 4:26 PM Volkan Yazıcı  wrote:
 
> This is a vote to release the Apache Log4j 3.0.0-beta1.
> 
> Website: https://logging.staged.apache.org/log4j
> GitHub: https://github.com/apache/logging-log4j2
> Commit: c5dbdcfeb0216e1e3e333436e9b4d04cc3b8e6fd
> Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j
> Nexus:
> https://repository.apache.org/content/repositories/orgapachelogging-1246
> Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0
> 
> Please download, test, and cast your votes on this mailing list.
> 
> [ ] +1, release the artifacts
> [ ] -1, don't release, because...
> 
> This vote is open for 72 hours and will pass unless getting a
> net negative vote count. All votes are welcome and we encourage
> everyone to test the release, but only the Logging Services PMC
> votes are officially counted.
> 
> == Review Kit
> 
> The minimum set of steps needed to review the uploaded distribution
> files in the Subversion repository can be summarized as follows:
> 
># Check out the distribution
>svn co https://dist.apache.org/repos/... && cd $_
> 
># Verify checksums
>shasum --check *.sha512
> 
># Verify signatures
>wget -O - https://downloads.apache.org/logging/KEYS | gpg --import
>for sigFile in *.asc; do gpg --verify $sigFile; done
> 
># Verify reproduciblity
>umask 0022
>unzip *-src.zip -d src
>cd src
>export NEXUS_REPO=https://repository.apache.org/content/...
>sh mvnw -Prelease \
>verify artifact:compare \
>-Dreference.repo=$NEXUS_REPO \
>-Dcyclonedx.skip
> 
> Some SBOM discrepancy is causing reproducibility mismatch, hence the
> `-Dcyclonedx.skip`. Since `2.x` and `main` are greatly diverged, I 
> couldn't
> figure out the missing piece yet.
> 
> == Release Notes
> 
> This is the first beta release of the upcoming major release, i.e.,
> `3.0.0`.
> 
> === Added
> 
> * Add annotations for nullability. (LOG4J2-1477)
> * Remove deprecated code. (LOG4J2-2493)
> * Add a more generalized dependency injection system to plugins inspired
> by JSR 330. (LOG4J2-2803)
> * Add and enhance structured properties for per-context settings outside
> configuration files. (1473)
> * Automate artifact publishing and release preparation. (LOG4J2-3466)
> * Add support for dependency injection of plugins into container types
> such as `Optional`, `Collection`, `Set`, `Stream`, `List`,
> and `Map`. (LOG4J2-3496)
> * Add support for `ConstraintValidator` in plugin classes. (LOG4J2-3497)
> 
> === Changed
> 
> * Remove liquibase-log4j2 maven module (#1193)
> * Make the output of annotation processing reproducible. (#1520)
> * Replace `synchronized` blocks with locks for improved performance with
> virtual threads. (#1532)
> * Removes additional `isFiltered` checks in `AsyncLoggerConfig`. (#1550)
> * Ignore exceptions thrown by PropertySources. Eliminate
> ClassCastException when SimpleLoggerContext is used.
> (spring-projects/spring-boot#33450, #1799)
> * Update `com.lmax:disruptor` to version `4.0.0` (#1829)
> * Migrate most tests to