Re: [DISCUSS][VOTE] Future of Log4j 1.x

[Christian Grobmeier]

Hi Leo,

good new year to you!

On Sun, Jan 2, 2022, at 07:12, Leo Simons wrote:
> Hey,
>
> Happy new year everyone!
>
> On Wed, Dec 29, 2021 at 8:54 PM Ralph Goers 
> wrote:
>
>> Leo seemed interested at first but didn’t weigh in on the discussion
>> thread.
>
>
> I'm here. I did mention in a couple mails I'd be away. Real life happens :).
>
> I think I made clear what I am interested in through several emails and in
> code.
> I've also pointed out what I wouldn't do (like step up as a maintainer on a
> permanent basis, or incubate something).

I think you are very welcome at this place and no matter the outcome of this 
vote, let us discuss how you can still find an open source home here. I know 
you have a different opinion, but learning more about Log4j1 I think a person 
with your skills and dedication is more than welcome in working with log4j 1 
migration.

cheers!

> I think all the relevant arguments on how to proceed with 1.x have been
> made (a few times...).
> I don't have anything new to add.
> I'll accept the vote outcome.
>
>
> Cheers!
>
>
> Leo

Re: [DISCUSS][VOTE] Future of Log4j 1.x

[Leo Simons]

Hey,

Happy new year everyone!

On Wed, Dec 29, 2021 at 8:54 PM Ralph Goers 
wrote:

> Leo seemed interested at first but didn’t weigh in on the discussion
> thread.


I'm here. I did mention in a couple mails I'd be away. Real life happens :).

I think I made clear what I am interested in through several emails and in
code.
I've also pointed out what I wouldn't do (like step up as a maintainer on a
permanent basis, or incubate something).

I think all the relevant arguments on how to proceed with 1.x have been
made (a few times...).
I don't have anything new to add.
I'll accept the vote outcome.


Cheers!


Leo

[DISCUSS][VOTE] Future of Log4j 1.x

[Ralph Goers]

Discussion shouldn’t happen on the main vote thread please.

Users are certainly free to use Logback. If they are OK with losing log events 
during reconfiguration and using a framework that is maintained by one person 
and are OK when he disappears for a year and a half that is their choice. 
Please 
remember, this is not a commercial venture. No Java logging framework is. 

Switching to Logback also requires work. It doesn’t natively support Log4j 1 
configuration files. Log4j 2 does support Log4j 1 configuration using the Log4j 
1.2 bridge, which we are constantly improving.

But the bottom line is that I would prefer that users migrate to Logback over 
sticking with Log4j 1. Although it has many of Log4j 1’s flaws it does not 
suffer 
from the multi-threading issues that Log4j 1 has. Of course, I think Log4j 2 is 
a 
better choice, but I am obviously biased.

Happy New Year!

Ralph



> On Jan 1, 2022, at 8:40 AM, Xeno Amess  wrote:
> 
> +0
> 
>> People should migrate to log4j2.
> good thinking, but what if they migrate to logback...
> IMO logback is a thing more likely log4j1 than log4j2, just user side.
> 
> 
> Ralph Goers  于2022年1月1日周六 23:18写道：
> 
>> +1 to Option 1
>> 
>> Ralph
>> 
>>> On Dec 29, 2021, at 12:33 PM, Christian Grobmeier 
>> wrote:
>>> 
>>> Hello,
>>> 
>>> as discussed in another thread, this is a vote about the future of log4j
>> 1. This vote stays open for the usual 72h.
>>> Options are explained below.
>>> 
>>> You can vote for:
>>> 
>>> [ ] +1, Option 1
>>> [ ] +1, Option 2
>>> [ ] +/- 0, abstain
>>> [ ] -1 object against those options
>>> 
>>> Option 1: Create a README.md that publishes the projects EOL status and
>> do nothing else.
>>> Option 2: Create a README which says the project is EOL but allow the
>> following work for 1.2.18 AND create a full release:
>>>   a.  Make the build work with a modern version of Maven.
>>>   b.  Fix the Java version bug.
>>>   c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
>>>   d.  Fix CVE-2019-17571
>>> 
>>> Regards,
>>> Christian
>>> --
>>> The Apache Software Foundation
>>> V.P., Data Privacy
>>> 
>> 
>> 

Re: [DISCUSS][VOTE] Future of Log4j 1.x

[Ralph Goers]

These show up as two distinct threads In Mail on my MacBook Pro. 

FWIW, the PMC is aware of at least two distributions that already seem to 
fulfill the need of providing patched versions of Log4 1:

1. https://github.com/albfernandez/log4j/
2. https://search.maven.org/artifact/io.confluent/confluent-log4j (The source 
appears to be in a private repository).

Of course, both of these use different maven coordinates than Apache Log4j so 
users will have to ensure they exclude the Apache Log4j dependencies.

Ralph





> On Dec 30, 2021, at 5:23 AM, Vladimir Sitnikov  
> wrote:
> 
> Christian>vote in this thread, which is, btw not meant for discussion but
> for voting.
> 
> We are on a [DISCUSS] thread (check the subject).
> 
> Ralph "created" [DISCUSS] thread by hitting "reply" and changing the
> subject.
> "reply" keeps message-id, so it might look like a single thread.
> 
> See both "[DISCUSS][VOTE] Future of Log4j 1.x" and "[VOTE] Future of Log4j
> 1.x"
> at https://lists.apache.org/list.html?dev@logging.apache.org
> 
> Vladimir

Re: [DISCUSS][VOTE] Future of Log4j 1.x

[Vladimir Sitnikov]

Christian>vote in this thread, which is, btw not meant for discussion but
for voting.

We are on a [DISCUSS] thread (check the subject).

Ralph "created" [DISCUSS] thread by hitting "reply" and changing the
subject.
"reply" keeps message-id, so it might look like a single thread.

See both "[DISCUSS][VOTE] Future of Log4j 1.x" and "[VOTE] Future of Log4j
1.x"
at https://lists.apache.org/list.html?dev@logging.apache.org

Vladimir

Re: [DISCUSS][VOTE] Future of Log4j 1.x

[Christian Grobmeier]

If there is long term commitment apart from these urgent fixes we can run 
another vote.

You cannot guarantee you are alive by February, nobody can give such guarantees.

The logging pmc is not here to accept all patches as they come in but to make 
decisions best to the project (among other duties).

Once there is a mandate and consent among pmc we most likely try to review and 
comment on the prs coming in. No guarantees though your pr will be accepted as 
it is.

That said, we continue to vote in New committers and pmc members as we always 
have. Prerequisites to become logging committer is long term interest in 
logging and understanding the ASF way. Also, I daresay, many people here like 
to add new people when they are adding positive attitude (versus toxic 
behavior).

I hope all your questions are clarified now and we can continue to discuss (see 
Ralph's message) on slack and vote in this thread, which is, btw not meant for 
discussion but for voting.

--
The Apache Software Foundation
V.P., Data Privacy

On Wed, Dec 29, 2021, at 21:41, Vladimir Sitnikov wrote:
>>Log4j is owned by the Logging Services PMC. You cannot incubate it without
> this PMC’s approval.
>
> Exactly. As far as I understand, Logging pmc should accept patches and
> release fixes or they should approve reincubating.
> Of course, you can try rejecting patches and disapprove reincubation,
> however, that won't hold water.
>
> Unfortunately, I have not seen the response from the logging pmc regarding
> approve/disapprove re-incubating. There's a pending question to Ron still.
>
> I do not consider forks outside of the ASF.
>
>>But I notice the one topic you did not respond to was the lack of
> interested people other than yourself. Why is that?
>
> I find the question irrelevant, and I find it has nothing to do with
> accepting patches and releasing 1.2
> I belive there were even people on incubator thread, so it is strange why
> do you demand that I provide you with a list of rock-star 1.x maintainers.
>
> 1) I can't guarantee I will be alive in February. Can you guarantee all the
> logging pmc members will be alive then? I doubt so. So I find that
> questions like "how can we be sure you will send patches" too intimate.
>
> 2) I have already filed a patch for buildscripts. Whould you review it and
> merge?
>
> 3) Suppose I find a team (e.g 4-5 ASF fellows) who are willing to support
> 1.2. What do you do then? Would you add all of them to the logging pmc?
> I don't really see the point why do you ask, and at the same time I can't
> guarantee the people I gather will be alive tomorrow. I can't guarantee
> they will always have interest in 1.2
>
> Vladimir

Re: [DISCUSS][VOTE] Future of Log4j 1.x

[Christian Grobmeier]

Makes sense. I will close thus vote not earlier than Jan 5, if there is no 
further objections. Thanks for  your input Tim

--
The Apache Software Foundation
V.P., Data Privacy

On Thu, Dec 30, 2021, at 01:56, Tim Perry wrote:
> I propose that this vote should stay open longer than 72 hours given 
> that we are coming up on New Years and many people who would wish to 
> weigh in might be on vacation right now. 
>
> Tim
>
>> On Dec 29, 2021, at 2:29 PM, Matt Sicker  wrote:
>> 
>> Consistent contributors are frequently invited to be committers and later 
>> PMC members. Having at least three people maintaining anything is an Apache 
>> standard for maintaining vendor neutrality, ensuring a minimum number of 
>> people can verify release candidates to address security issues or any other 
>> releases.
>> 
>> —
>> Matt Sicker
>> 
>>> On Dec 29, 2021, at 14:41, Vladimir Sitnikov  
>>> wrote:
>>> 
>>> 
 
 Log4j is owned by the Logging Services PMC. You cannot incubate it without
>>> this PMC’s approval.
>>> 
>>> Exactly. As far as I understand, Logging pmc should accept patches and
>>> release fixes or they should approve reincubating.
>>> Of course, you can try rejecting patches and disapprove reincubation,
>>> however, that won't hold water.
>>> 
>>> Unfortunately, I have not seen the response from the logging pmc regarding
>>> approve/disapprove re-incubating. There's a pending question to Ron still.
>>> 
>>> I do not consider forks outside of the ASF.
>>> 
 But I notice the one topic you did not respond to was the lack of
>>> interested people other than yourself. Why is that?
>>> 
>>> I find the question irrelevant, and I find it has nothing to do with
>>> accepting patches and releasing 1.2
>>> I belive there were even people on incubator thread, so it is strange why
>>> do you demand that I provide you with a list of rock-star 1.x maintainers.
>>> 
>>> 1) I can't guarantee I will be alive in February. Can you guarantee all the
>>> logging pmc members will be alive then? I doubt so. So I find that
>>> questions like "how can we be sure you will send patches" too intimate.
>>> 
>>> 2) I have already filed a patch for buildscripts. Whould you review it and
>>> merge?
>>> 
>>> 3) Suppose I find a team (e.g 4-5 ASF fellows) who are willing to support
>>> 1.2. What do you do then? Would you add all of them to the logging pmc?
>>> I don't really see the point why do you ask, and at the same time I can't
>>> guarantee the people I gather will be alive tomorrow. I can't guarantee
>>> they will always have interest in 1.2
>>> 
>>> Vladimir

Re: [DISCUSS][VOTE] Future of Log4j 1.x

[Dominik Psenner]

+1, Option 1

People should migrate to log4j2.

On Thu, 30 Dec 2021 at 01:56, Tim Perry  wrote:

> I propose that this vote should stay open longer than 72 hours given that
> we are coming up on New Years and many people who would wish to weigh in
> might be on vacation right now.
>
> Tim
>
> > On Dec 29, 2021, at 2:29 PM, Matt Sicker  wrote:
> >
> > Consistent contributors are frequently invited to be committers and
> later PMC members. Having at least three people maintaining anything is an
> Apache standard for maintaining vendor neutrality, ensuring a minimum
> number of people can verify release candidates to address security issues
> or any other releases.
> >
> > —
> > Matt Sicker
> >
> >> On Dec 29, 2021, at 14:41, Vladimir Sitnikov <
> sitnikov.vladi...@gmail.com> wrote:
> >>
> >> 
> >>>
> >>> Log4j is owned by the Logging Services PMC. You cannot incubate it
> without
> >> this PMC’s approval.
> >>
> >> Exactly. As far as I understand, Logging pmc should accept patches and
> >> release fixes or they should approve reincubating.
> >> Of course, you can try rejecting patches and disapprove reincubation,
> >> however, that won't hold water.
> >>
> >> Unfortunately, I have not seen the response from the logging pmc
> regarding
> >> approve/disapprove re-incubating. There's a pending question to Ron
> still.
> >>
> >> I do not consider forks outside of the ASF.
> >>
> >>> But I notice the one topic you did not respond to was the lack of
> >> interested people other than yourself. Why is that?
> >>
> >> I find the question irrelevant, and I find it has nothing to do with
> >> accepting patches and releasing 1.2
> >> I belive there were even people on incubator thread, so it is strange
> why
> >> do you demand that I provide you with a list of rock-star 1.x
> maintainers.
> >>
> >> 1) I can't guarantee I will be alive in February. Can you guarantee all
> the
> >> logging pmc members will be alive then? I doubt so. So I find that
> >> questions like "how can we be sure you will send patches" too intimate.
> >>
> >> 2) I have already filed a patch for buildscripts. Whould you review it
> and
> >> merge?
> >>
> >> 3) Suppose I find a team (e.g 4-5 ASF fellows) who are willing to
> support
> >> 1.2. What do you do then? Would you add all of them to the logging pmc?
> >> I don't really see the point why do you ask, and at the same time I
> can't
> >> guarantee the people I gather will be alive tomorrow. I can't guarantee
> >> they will always have interest in 1.2
> >>
> >> Vladimir
>


-- 
Dominik Psenner

Re: [DISCUSS][VOTE] Future of Log4j 1.x

[Tim Perry]

I propose that this vote should stay open longer than 72 hours given that we 
are coming up on New Years and many people who would wish to weigh in might be 
on vacation right now. 

Tim

> On Dec 29, 2021, at 2:29 PM, Matt Sicker  wrote:
> 
> Consistent contributors are frequently invited to be committers and later 
> PMC members. Having at least three people maintaining anything is an Apache 
> standard for maintaining vendor neutrality, ensuring a minimum number of 
> people can verify release candidates to address security issues or any other 
> releases.
> 
> —
> Matt Sicker
> 
>> On Dec 29, 2021, at 14:41, Vladimir Sitnikov  
>> wrote:
>> 
>> 
>>> 
>>> Log4j is owned by the Logging Services PMC. You cannot incubate it without
>> this PMC’s approval.
>> 
>> Exactly. As far as I understand, Logging pmc should accept patches and
>> release fixes or they should approve reincubating.
>> Of course, you can try rejecting patches and disapprove reincubation,
>> however, that won't hold water.
>> 
>> Unfortunately, I have not seen the response from the logging pmc regarding
>> approve/disapprove re-incubating. There's a pending question to Ron still.
>> 
>> I do not consider forks outside of the ASF.
>> 
>>> But I notice the one topic you did not respond to was the lack of
>> interested people other than yourself. Why is that?
>> 
>> I find the question irrelevant, and I find it has nothing to do with
>> accepting patches and releasing 1.2
>> I belive there were even people on incubator thread, so it is strange why
>> do you demand that I provide you with a list of rock-star 1.x maintainers.
>> 
>> 1) I can't guarantee I will be alive in February. Can you guarantee all the
>> logging pmc members will be alive then? I doubt so. So I find that
>> questions like "how can we be sure you will send patches" too intimate.
>> 
>> 2) I have already filed a patch for buildscripts. Whould you review it and
>> merge?
>> 
>> 3) Suppose I find a team (e.g 4-5 ASF fellows) who are willing to support
>> 1.2. What do you do then? Would you add all of them to the logging pmc?
>> I don't really see the point why do you ask, and at the same time I can't
>> guarantee the people I gather will be alive tomorrow. I can't guarantee
>> they will always have interest in 1.2
>> 
>> Vladimir

Re: [DISCUSS][VOTE] Future of Log4j 1.x

[Matt Sicker]

Consistent contributors are frequently invited to be committers and later PMC 
members. Having at least three people maintaining anything is an Apache 
standard for maintaining vendor neutrality, ensuring a minimum number of people 
can verify release candidates to address security issues or any other releases.

—
Matt Sicker

> On Dec 29, 2021, at 14:41, Vladimir Sitnikov  
> wrote:
> 
> 
>> 
>> Log4j is owned by the Logging Services PMC. You cannot incubate it without
> this PMC’s approval.
> 
> Exactly. As far as I understand, Logging pmc should accept patches and
> release fixes or they should approve reincubating.
> Of course, you can try rejecting patches and disapprove reincubation,
> however, that won't hold water.
> 
> Unfortunately, I have not seen the response from the logging pmc regarding
> approve/disapprove re-incubating. There's a pending question to Ron still.
> 
> I do not consider forks outside of the ASF.
> 
>> But I notice the one topic you did not respond to was the lack of
> interested people other than yourself. Why is that?
> 
> I find the question irrelevant, and I find it has nothing to do with
> accepting patches and releasing 1.2
> I belive there were even people on incubator thread, so it is strange why
> do you demand that I provide you with a list of rock-star 1.x maintainers.
> 
> 1) I can't guarantee I will be alive in February. Can you guarantee all the
> logging pmc members will be alive then? I doubt so. So I find that
> questions like "how can we be sure you will send patches" too intimate.
> 
> 2) I have already filed a patch for buildscripts. Whould you review it and
> merge?
> 
> 3) Suppose I find a team (e.g 4-5 ASF fellows) who are willing to support
> 1.2. What do you do then? Would you add all of them to the logging pmc?
> I don't really see the point why do you ask, and at the same time I can't
> guarantee the people I gather will be alive tomorrow. I can't guarantee
> they will always have interest in 1.2
> 
> Vladimir

Re: [DISCUSS][VOTE] Future of Log4j 1.x

[Vladimir Sitnikov]

>Log4j is owned by the Logging Services PMC. You cannot incubate it without
this PMC’s approval.

Exactly. As far as I understand, Logging pmc should accept patches and
release fixes or they should approve reincubating.
Of course, you can try rejecting patches and disapprove reincubation,
however, that won't hold water.

Unfortunately, I have not seen the response from the logging pmc regarding
approve/disapprove re-incubating. There's a pending question to Ron still.

I do not consider forks outside of the ASF.

>But I notice the one topic you did not respond to was the lack of
interested people other than yourself. Why is that?

I find the question irrelevant, and I find it has nothing to do with
accepting patches and releasing 1.2
I belive there were even people on incubator thread, so it is strange why
do you demand that I provide you with a list of rock-star 1.x maintainers.

1) I can't guarantee I will be alive in February. Can you guarantee all the
logging pmc members will be alive then? I doubt so. So I find that
questions like "how can we be sure you will send patches" too intimate.

2) I have already filed a patch for buildscripts. Whould you review it and
merge?

3) Suppose I find a team (e.g 4-5 ASF fellows) who are willing to support
1.2. What do you do then? Would you add all of them to the logging pmc?
I don't really see the point why do you ask, and at the same time I can't
guarantee the people I gather will be alive tomorrow. I can't guarantee
they will always have interest in 1.2

Vladimir

Re: [DISCUSS][VOTE] Future of Log4j 1.x

[Ralph Goers]

You are a member of 2 ASF projects yet you don’t understand how the ASF works?

Log4j is owned by the Logging Services PMC. You cannot incubate it without this 
PMC’s approval. 

You can certainly fork it outside the ASF but you cannot call it Log4j as the 
ASF owns the trademark. 
Sonatype would be unlikely to accept such a project with different maven 
coordinates that 
overlaps the log4j package naming as it would create a dependency mess. 

But I notice the one topic you did not respond to was the lack of interested 
people other than yourself. Why is that?

Ralph

> On Dec 29, 2021, at 1:05 PM, Vladimir Sitnikov  
> wrote:
> 
> If you are not interested in maintaining 1.x, please give it away (to
> another pmc or add pmc members) and that is it.
> 
> Even if you all vote for option 1, then I would just reincubate 1.x or find
> an alternative route to make 1.2.18, 1.2.19 and so on. So what is the point
> of this vote then? You can't really prevent 1.2.18, 1.2.19, ...
> 
> Vladimir

Re: [DISCUSS][VOTE] Future of Log4j 1.x

[Vladimir Sitnikov]

If you are not interested in maintaining 1.x, please give it away (to
another pmc or add pmc members) and that is it.

Even if you all vote for option 1, then I would just reincubate 1.x or find
an alternative route to make 1.2.18, 1.2.19 and so on. So what is the point
of this vote then? You can't really prevent 1.2.18, 1.2.19, ...

Vladimir

[DISCUSS][VOTE] Future of Log4j 1.x

[Ralph Goers]

What “People”. So far you are the only person who seems interested. Leo seemed 
interested at first but didn’t weigh in on the discussion thread. AFAIK that’s 
it. Two people does not make a community.

Furthermore, Log4j 1 was declared EOL 6 years ago and has been unsupported for 
9 years. It will remain EOL until the PMC says otherwise.

Ralph

> On Dec 29, 2021, at 12:46 PM, Vladimir Sitnikov  
> wrote:
> 
> -1 as it is invalid to say the project is "end of life" provided there are
> people willing to support it.
> 
> Vladimir

Re: [DISCUSS] The future of Log4j 1.x

[Christian Grobmeier]

I am going to set up a vote for option 1 and 4. I think we have this thread 
open for a long time already and don't  expect many other responses

--
The Apache Software Foundation
V.P., Data Privacy

On Wed, Dec 29, 2021, at 07:55, Volkan Yazıcı wrote:
> Agreed with all points of Carter.
>
> It is either 1 or 4.
> Anything more than 4 (including 5) is a hard no from me.
>
> On Fri, Dec 24, 2021 at 6:00 PM Carter Kozak  wrote:
>
>> I would agree directionally with option 1 or option 4.
>>
>> Making changes without pushing binary artifacts to maven central (options
>> 2 and 3) is unlikely to do much good for the types of projects which still
>> use log4j1. Option 5 is a hard no from me, my time is already too
>> constrained, there are better options, and the architecture limits
>> substantive improvements.
>>
>> -ck
>>
>> On Fri, Dec 24, 2021, at 11:47, Ralph Goers wrote:
>> > As we all know Log4j 1.x reached end of life in August 2015. Log4j
>> 1.2.17 was released on May 26, 2012. The last commit was to update the
>> > web site 7 years ago. The changes.xml file shows there were commits up
>> to sometime in 2012, all of which were performed by Gary Gregory
>> > and Christian Grobmeier who ironically both voted no to opening the repo
>> back up.
>> >
>> > The point of this history is to point out that the project essentially
>> died in 2012. We simply acknowledged it in 2015.
>> >
>> > So now we have voted to open the repo. The question then becomes what to
>> do next and going forward. I see several options:
>> >
>> > 1. Create a README.md that publishes the projects EOL status and do
>> nothing else.
>> > 2. Create a README.md that says the project is EOL and no further big
>> fixes or enhancements will be made but 1.2.18 was a special
>> > circumstance. Perform ONLY the following work for 1.2.18:
>> > a.  Make the build work with a modern version of Maven.
>> > b.  Fix the Java version bug.
>> > c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
>> > d.  Fix CVE-2019-17571
>> > The expectation is that the above would address the actual issues
>> and not just remove classes.
>> > Do NOT perform a release of any kind.
>> > 3. Option 2 but only perform a source release.
>> > 4. Option 2 but perform a full release.
>> > 5. Option 4 but allow development to continue, including bug fixes and
>> enhancements.
>> >
>> > I personally can see valid reasons to do any of the above.  I have my
>> own opinion on this but I will post that in a reply to this discussion
>> kickoff.
>> >
>> > If you have other proposals feel free to state them.
>> >
>> > This discussion will be followed up by a vote thread if necessary.
>> >
>> > Ralph
>> >
>> >
>> >
>>

Re: [DISCUSS] The future of Log4j 1.x

[Volkan Yazıcı]

Agreed with all points of Carter.

It is either 1 or 4.
Anything more than 4 (including 5) is a hard no from me.

On Fri, Dec 24, 2021 at 6:00 PM Carter Kozak  wrote:

> I would agree directionally with option 1 or option 4.
>
> Making changes without pushing binary artifacts to maven central (options
> 2 and 3) is unlikely to do much good for the types of projects which still
> use log4j1. Option 5 is a hard no from me, my time is already too
> constrained, there are better options, and the architecture limits
> substantive improvements.
>
> -ck
>
> On Fri, Dec 24, 2021, at 11:47, Ralph Goers wrote:
> > As we all know Log4j 1.x reached end of life in August 2015. Log4j
> 1.2.17 was released on May 26, 2012. The last commit was to update the
> > web site 7 years ago. The changes.xml file shows there were commits up
> to sometime in 2012, all of which were performed by Gary Gregory
> > and Christian Grobmeier who ironically both voted no to opening the repo
> back up.
> >
> > The point of this history is to point out that the project essentially
> died in 2012. We simply acknowledged it in 2015.
> >
> > So now we have voted to open the repo. The question then becomes what to
> do next and going forward. I see several options:
> >
> > 1. Create a README.md that publishes the projects EOL status and do
> nothing else.
> > 2. Create a README.md that says the project is EOL and no further big
> fixes or enhancements will be made but 1.2.18 was a special
> > circumstance. Perform ONLY the following work for 1.2.18:
> > a.  Make the build work with a modern version of Maven.
> > b.  Fix the Java version bug.
> > c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
> > d.  Fix CVE-2019-17571
> > The expectation is that the above would address the actual issues
> and not just remove classes.
> > Do NOT perform a release of any kind.
> > 3. Option 2 but only perform a source release.
> > 4. Option 2 but perform a full release.
> > 5. Option 4 but allow development to continue, including bug fixes and
> enhancements.
> >
> > I personally can see valid reasons to do any of the above.  I have my
> own opinion on this but I will post that in a reply to this discussion
> kickoff.
> >
> > If you have other proposals feel free to state them.
> >
> > This discussion will be followed up by a vote thread if necessary.
> >
> > Ralph
> >
> >
> >
>

Re: [DISCUSS] The future of Log4j 1.x

[Ralph Goers]

Before any Pull Requests are reviewed this discussion needs to come to a 
conclusion.

So far I have seen some people in favor of option 1, none in favor of option 2, 
none in 
favor of option 3, some in favor of option 1 or option 4, no one in favor of 
option 5 
(with several -1s) and Vladimir who seems to be in favor of option 5 + more 
(whatever 
that may be).

Other than Vladimir and Leo I am not sure who the other contributors are and am 
still 
awaiting input from them.

In the meantime, we are still fighting fires in the Log4j 2 world and really 
have limited 
time to review these PRs right now anyway.

Ralph

> On Dec 25, 2021, at 2:59 AM, Andrew Marlow  wrote:
> 
> this is a great summary of the options. I vote for option 2.
> 
> On Fri, 24 Dec 2021 at 16:47, Ralph Goers 
> wrote:
> 
>> As we all know Log4j 1.x reached end of life in August 2015. Log4j 1.2.17
>> was released on May 26, 2012. The last commit was to update the
>> web site 7 years ago. The changes.xml file shows there were commits up to
>> sometime in 2012, all of which were performed by Gary Gregory
>> and Christian Grobmeier who ironically both voted no to opening the repo
>> back up.
>> 
>> The point of this history is to point out that the project essentially
>> died in 2012. We simply acknowledged it in 2015.
>> 
>> So now we have voted to open the repo. The question then becomes what to
>> do next and going forward. I see several options:
>> 
>> 1. Create a README.md that publishes the projects EOL status and do
>> nothing else.
>> 2. Create a README.md that says the project is EOL and no further big
>> fixes or enhancements will be made but 1.2.18 was a special
>>circumstance. Perform ONLY the following work for 1.2.18:
>>a.  Make the build work with a modern version of Maven.
>>b.  Fix the Java version bug.
>>c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
>>d.  Fix CVE-2019-17571
>>The expectation is that the above would address the actual issues and
>> not just remove classes.
>>Do NOT perform a release of any kind.
>> 3. Option 2 but only perform a source release.
>> 4. Option 2 but perform a full release.
>> 5. Option 4 but allow development to continue, including bug fixes and
>> enhancements.
>> 
>> I personally can see valid reasons to do any of the above.  I have my own
>> opinion on this but I will post that in a reply to this discussion kickoff.
>> 
>> If you have other proposals feel free to state them.
>> 
>> This discussion will be followed up by a vote thread if necessary.
>> 
>> Ralph
>> 
>> 
>> 
> 
> -- 
> Regards,
> 
> Andrew Marlow
> http://www.andrewpetermarlow.co.uk

Re: [DISCUSS] The future of Log4j 1.x

[Andrew Marlow]

this is a great summary of the options. I vote for option 2.

On Fri, 24 Dec 2021 at 16:47, Ralph Goers 
wrote:

> As we all know Log4j 1.x reached end of life in August 2015. Log4j 1.2.17
> was released on May 26, 2012. The last commit was to update the
> web site 7 years ago. The changes.xml file shows there were commits up to
> sometime in 2012, all of which were performed by Gary Gregory
> and Christian Grobmeier who ironically both voted no to opening the repo
> back up.
>
> The point of this history is to point out that the project essentially
> died in 2012. We simply acknowledged it in 2015.
>
> So now we have voted to open the repo. The question then becomes what to
> do next and going forward. I see several options:
>
> 1. Create a README.md that publishes the projects EOL status and do
> nothing else.
> 2. Create a README.md that says the project is EOL and no further big
> fixes or enhancements will be made but 1.2.18 was a special
> circumstance. Perform ONLY the following work for 1.2.18:
> a.  Make the build work with a modern version of Maven.
> b.  Fix the Java version bug.
> c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
> d.  Fix CVE-2019-17571
> The expectation is that the above would address the actual issues and
> not just remove classes.
> Do NOT perform a release of any kind.
> 3. Option 2 but only perform a source release.
> 4. Option 2 but perform a full release.
> 5. Option 4 but allow development to continue, including bug fixes and
> enhancements.
>
> I personally can see valid reasons to do any of the above.  I have my own
> opinion on this but I will post that in a reply to this discussion kickoff.
>
> If you have other proposals feel free to state them.
>
> This discussion will be followed up by a vote thread if necessary.
>
> Ralph
>
>
>

-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

Re: [DISCUSS] The future of Log4j 1.x

[Gary Gregory]

On Fri, Dec 24, 2021 at 5:21 PM Dominik Psenner  wrote:

> I am in favor of option 1, basically this:
>
> * Add an EOL marker, big and bold
> * Allow the repository to be cloned
> * Allow the repository to be forked
> * Disable the creation of new pull requests (on github)
> * Disable creation of issues (on github; this is the default; I want to
> stress this by mentioning it explicitly)
>
> My reasoning behind this is that an EOL must not consume resources. Any
> resource available should be invested in something that is not EOL so that
> opportunities are not lost with friction or distraction.
>
> Having this, someone can easily fork/clone the repository on github and
> work on the codebase. We may consider accepting these patches as
> contributions in the future. So long logging services considers log4j1 EOL,
> people should be strongly encouraged to migrate and not to base their work
> on an EOL component.
>
> Why not allow creation of pull requests or issues? This clearly draws a
> line. Logging services is not investing resources in an EOL component. This
> enforces that any new commits happen on a fork or clone. This has the
> effect that the public could not become confused. In the perception of the
> general public any changes are clearly unrelated to Apache logging
> services. The position of Apache logging services is clearly that the
> component is EOL.
>
> Should valuable contributions appear in the future we may reconsider what
> to do. We could then for instance review changes in a fork and cherry pick
> the contributions. This could hold for minimal changes that fix CVEs. If
> changes are too large to be cherry picked, my gut feeling tells me that too
> many resources are invested in an EOL component.
>

Nice write up Dominick & something I can get behind.

Gary


>
> --
> Sent from my phone. Typos are a kind gift to anyone who happens to find
> them.
>
> On Fri, Dec 24, 2021, 17:47 Ralph Goers 
> wrote:
>
> > As we all know Log4j 1.x reached end of life in August 2015. Log4j 1.2.17
> > was released on May 26, 2012. The last commit was to update the
> > web site 7 years ago. The changes.xml file shows there were commits up to
> > sometime in 2012, all of which were performed by Gary Gregory
> > and Christian Grobmeier who ironically both voted no to opening the repo
> > back up.
> >
> > The point of this history is to point out that the project essentially
> > died in 2012. We simply acknowledged it in 2015.
> >
> > So now we have voted to open the repo. The question then becomes what to
> > do next and going forward. I see several options:
> >
> > 1. Create a README.md that publishes the projects EOL status and do
> > nothing else.
> > 2. Create a README.md that says the project is EOL and no further big
> > fixes or enhancements will be made but 1.2.18 was a special
> > circumstance. Perform ONLY the following work for 1.2.18:
> > a.  Make the build work with a modern version of Maven.
> > b.  Fix the Java version bug.
> > c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
> > d.  Fix CVE-2019-17571
> > The expectation is that the above would address the actual issues and
> > not just remove classes.
> > Do NOT perform a release of any kind.
> > 3. Option 2 but only perform a source release.
> > 4. Option 2 but perform a full release.
> > 5. Option 4 but allow development to continue, including bug fixes and
> > enhancements.
> >
> > I personally can see valid reasons to do any of the above.  I have my own
> > opinion on this but I will post that in a reply to this discussion
> kickoff.
> >
> > If you have other proposals feel free to state them.
> >
> > This discussion will be followed up by a vote thread if necessary.
> >
> > Ralph
> >
> >
> >
>

Re: [DISCUSS] The future of Log4j 1.x

[Dominik Psenner]

I am in favor of option 1, basically this:

* Add an EOL marker, big and bold
* Allow the repository to be cloned
* Allow the repository to be forked
* Disable the creation of new pull requests (on github)
* Disable creation of issues (on github; this is the default; I want to
stress this by mentioning it explicitly)

My reasoning behind this is that an EOL must not consume resources. Any
resource available should be invested in something that is not EOL so that
opportunities are not lost with friction or distraction.

Having this, someone can easily fork/clone the repository on github and
work on the codebase. We may consider accepting these patches as
contributions in the future. So long logging services considers log4j1 EOL,
people should be strongly encouraged to migrate and not to base their work
on an EOL component.

Why not allow creation of pull requests or issues? This clearly draws a
line. Logging services is not investing resources in an EOL component. This
enforces that any new commits happen on a fork or clone. This has the
effect that the public could not become confused. In the perception of the
general public any changes are clearly unrelated to Apache logging
services. The position of Apache logging services is clearly that the
component is EOL.

Should valuable contributions appear in the future we may reconsider what
to do. We could then for instance review changes in a fork and cherry pick
the contributions. This could hold for minimal changes that fix CVEs. If
changes are too large to be cherry picked, my gut feeling tells me that too
many resources are invested in an EOL component.

--
Sent from my phone. Typos are a kind gift to anyone who happens to find
them.

On Fri, Dec 24, 2021, 17:47 Ralph Goers  wrote:

> As we all know Log4j 1.x reached end of life in August 2015. Log4j 1.2.17
> was released on May 26, 2012. The last commit was to update the
> web site 7 years ago. The changes.xml file shows there were commits up to
> sometime in 2012, all of which were performed by Gary Gregory
> and Christian Grobmeier who ironically both voted no to opening the repo
> back up.
>
> The point of this history is to point out that the project essentially
> died in 2012. We simply acknowledged it in 2015.
>
> So now we have voted to open the repo. The question then becomes what to
> do next and going forward. I see several options:
>
> 1. Create a README.md that publishes the projects EOL status and do
> nothing else.
> 2. Create a README.md that says the project is EOL and no further big
> fixes or enhancements will be made but 1.2.18 was a special
> circumstance. Perform ONLY the following work for 1.2.18:
> a.  Make the build work with a modern version of Maven.
> b.  Fix the Java version bug.
> c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
> d.  Fix CVE-2019-17571
> The expectation is that the above would address the actual issues and
> not just remove classes.
> Do NOT perform a release of any kind.
> 3. Option 2 but only perform a source release.
> 4. Option 2 but perform a full release.
> 5. Option 4 but allow development to continue, including bug fixes and
> enhancements.
>
> I personally can see valid reasons to do any of the above.  I have my own
> opinion on this but I will post that in a reply to this discussion kickoff.
>
> If you have other proposals feel free to state them.
>
> This discussion will be followed up by a vote thread if necessary.
>
> Ralph
>
>
>

Re: [DISCUSS] The future of Log4j 1.x

[Matt Sicker]

I’d be in favor of 1 or 4. Option 5 isn’t very feasible right now evidenced by 
how difficult it is to get enough votes on most of our other subproject 
releases like log4net, log4cxx, Log4j Scala API, and Log4j Kotlin API. There’s 
a long history in this PMC of wondering whether or not to continue developing 
various subprojects due to lack of community activity.
--
Matt Sicker

> On Dec 24, 2021, at 12:30, Ralph Goers  wrote:
> 
> If I were to vote today it would probably be for option 1. I had a discussion 
> with another ASF member yesterday who reminded me that in projects 
> like Tomcat EOL means EOL. Once that date is hit under no circumstances will 
> they issue a new release.
> 
> However, I understand that there is a difference between Log4j and Tomcat. 
> Tomcat 4 vs 5 would not have been a completely new and 
> incompatible architecture as Log4j 2 was. On the other hand I created the 
> compatibility bridge 2 years ago and it is quite clear that some of the 
> people looking to fix Log4j 1 have no idea it exists and/or have never tried 
> it. My preference would be to focus on fixing whatever issues are found 
> in that. 
> 
> Options 2 & 3 are interesting because they indicate that the project is still 
> EOL. But they don’t really help anyone much. So if any work is done on 
> the Log4j 1 code base I would generally agree that option 4 is the best 
> choice.
> 
> I am also -1 on option 5. If option 4 is chosen it is possible I could be 
> persuaded to do another CVE release should one be necessary, but that is it.
> Log4j 1 is EOL and should stay that way.
> 
> Ralph
> 
> 
> 
>> On Dec 24, 2021, at 9:47 AM, Ralph Goers  wrote:
>> 
>> As we all know Log4j 1.x reached end of life in August 2015. Log4j 1.2.17 
>> was released on May 26, 2012. The last commit was to update the 
>> web site 7 years ago. The changes.xml file shows there were commits up to 
>> sometime in 2012, all of which were performed by Gary Gregory 
>> and Christian Grobmeier who ironically both voted no to opening the repo 
>> back up. 
>> 
>> The point of this history is to point out that the project essentially died 
>> in 2012. We simply acknowledged it in 2015.
>> 
>> So now we have voted to open the repo. The question then becomes what to do 
>> next and going forward. I see several options:
>> 
>> 1. Create a README.md that publishes the projects EOL status and do nothing 
>> else.
>> 2. Create a README.md that says the project is EOL and no further big fixes 
>> or enhancements will be made but 1.2.18 was a special 
>>   circumstance. Perform ONLY the following work for 1.2.18:
>>   a.  Make the build work with a modern version of Maven.
>>   b.  Fix the Java version bug.
>>   c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
>>   d.  Fix CVE-2019-17571
>>   The expectation is that the above would address the actual issues and not 
>> just remove classes.
>>   Do NOT perform a release of any kind.
>> 3. Option 2 but only perform a source release.
>> 4. Option 2 but perform a full release.
>> 5. Option 4 but allow development to continue, including bug fixes and 
>> enhancements.
>> 
>> I personally can see valid reasons to do any of the above.  I have my own 
>> opinion on this but I will post that in a reply to this discussion kickoff.
>> 
>> If you have other proposals feel free to state them.  
>> 
>> This discussion will be followed up by a vote thread if necessary.
>> 
>> Ralph
>> 
>> 
>> 
> 

Re: [DISCUSS] The future of Log4j 1.x

[Ralph Goers]

If I were to vote today it would probably be for option 1. I had a discussion 
with another ASF member yesterday who reminded me that in projects 
like Tomcat EOL means EOL. Once that date is hit under no circumstances will 
they issue a new release.

However, I understand that there is a difference between Log4j and Tomcat. 
Tomcat 4 vs 5 would not have been a completely new and 
incompatible architecture as Log4j 2 was. On the other hand I created the 
compatibility bridge 2 years ago and it is quite clear that some of the 
people looking to fix Log4j 1 have no idea it exists and/or have never tried 
it. My preference would be to focus on fixing whatever issues are found 
in that. 

Options 2 & 3 are interesting because they indicate that the project is still 
EOL. But they don’t really help anyone much. So if any work is done on 
the Log4j 1 code base I would generally agree that option 4 is the best choice.

I am also -1 on option 5. If option 4 is chosen it is possible I could be 
persuaded to do another CVE release should one be necessary, but that is it.
Log4j 1 is EOL and should stay that way.

Ralph



> On Dec 24, 2021, at 9:47 AM, Ralph Goers  wrote:
> 
> As we all know Log4j 1.x reached end of life in August 2015. Log4j 1.2.17 was 
> released on May 26, 2012. The last commit was to update the 
> web site 7 years ago. The changes.xml file shows there were commits up to 
> sometime in 2012, all of which were performed by Gary Gregory 
> and Christian Grobmeier who ironically both voted no to opening the repo back 
> up. 
> 
> The point of this history is to point out that the project essentially died 
> in 2012. We simply acknowledged it in 2015.
> 
> So now we have voted to open the repo. The question then becomes what to do 
> next and going forward. I see several options:
> 
> 1. Create a README.md that publishes the projects EOL status and do nothing 
> else.
> 2. Create a README.md that says the project is EOL and no further big fixes 
> or enhancements will be made but 1.2.18 was a special 
>circumstance. Perform ONLY the following work for 1.2.18:
>a.  Make the build work with a modern version of Maven.
>b.  Fix the Java version bug.
>c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
>d.  Fix CVE-2019-17571
>The expectation is that the above would address the actual issues and not 
> just remove classes.
>Do NOT perform a release of any kind.
> 3. Option 2 but only perform a source release.
> 4. Option 2 but perform a full release.
> 5. Option 4 but allow development to continue, including bug fixes and 
> enhancements.
> 
> I personally can see valid reasons to do any of the above.  I have my own 
> opinion on this but I will post that in a reply to this discussion kickoff.
> 
> If you have other proposals feel free to state them.  
> 
> This discussion will be followed up by a vote thread if necessary.
> 
> Ralph
> 
> 
> 

Re: [DISCUSS] The future of Log4j 1.x

[Ralph Goers]

> On Dec 24, 2021, at 10:05 AM, Gary Gregory  wrote:
> 
>> 
> 
> What happens to the new repo Ralph created, will it just be deleted?
> 

The request was to delete that repo. The request was to rename apache/log4j to 
apache/logging-log4j1, 
which is the same name as the repo I created. 

Ralph

Re: [DISCUSS] The future of Log4j 1.x

[Christian Grobmeier]

Thank you very much Ralph for compiling this list.

On Fri, Dec 24, 2021, at 17:47, Ralph Goers wrote:
> 1. Create a README.md that publishes the projects EOL status and do 
> nothing else.
> 2. Create a README.md that says the project is EOL and no further big 
> fixes or enhancements will be made but 1.2.18 was a special 
> circumstance. Perform ONLY the following work for 1.2.18:
> a.  Make the build work with a modern version of Maven.
> b.  Fix the Java version bug.
> c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
> d.  Fix CVE-2019-17571
> The expectation is that the above would address the actual issues 
> and not just remove classes.
> Do NOT perform a release of any kind.
> 3. Option 2 but only perform a source release.
> 4. Option 2 but perform a full release.
> 5. Option 4 but allow development to continue, including bug fixes and 
> enhancements.

I am thinking option 1 is the best. We should improve log4j2 instead of wasting 
time to software which was last. updated in what, 2012?

However, I can see that there is some users who want to fix serious issues 
because they have reasons.

I would be fine with 2, if:

 - we clearly mark it EOL and tell this is a security patch for those who still 
couldn't upgrade
 - we promote to work on log4j2 bridge et al, if someone is willing to 
contribute, and helping writing migration guides
 - we allow all commits which makes the build easier and fixes (critical) 
issues. No more features which could lead to a version bump to 1.3, which is 
already taken by a failed attempt to upgrade

I am OK with option 4. The build is to complicated for anybody outside the 
developer list to make it happen. If we upgrade, we need to help users further.

Here is a new option.

Assuming we can make it a 1.2.18 and assuming we find out there is >=2 people 
willing to develop this further by ~mid 2022, we vote again if we continue this 
project. 

Only with a committed community we don't have to close it down again. Please 
take also in mind, that there is a competing logging project which developed 
the 1.2.x code base further. This will also add tensions.

Cheers
Christian 


>
> I personally can see valid reasons to do any of the above.  I have my 
> own opinion on this but I will post that in a reply to this discussion 
> kickoff.
>
> If you have other proposals feel free to state them.  
>
> This discussion will be followed up by a vote thread if necessary.
>
> Ralph

Re: [DISCUSS] The future of Log4j 1.x

[Vladimir Sitnikov]

>a.  Make the build work with a modern version of Maven.
>b.  Fix the Java version bug.
>c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
>d.  Fix CVE-2019-17571
>allow development to continue, including bug fixes and enhancements

+1 to all that, including new source+binary releases as the changes are
merged.

On top of that, I would suggest dropping EOL notice and using something like
"Supported on best effort basis" or "Development ceased".

Vladimir

Re: [DISCUSS] The future of Log4j 1.x

[Gary Gregory]

On Fri, Dec 24, 2021 at 12:13 PM Carter Kozak  wrote:

> > Sorry to be pedantic, but what Apache rules apply to the previous
> DISCUSS/VOTE thread?
>
> There's no need to apologize, the rules exist for a reason!
>
> > It should be telling, not ironic, that the last two contributors to
> Log4j 1 that are still here voted -1
>
> This is a great point which I hadn't realized myself. For what it's worth,
> I would consider _my_ vote with much less weight than those who have
> actually contributed to and maintained the log4j-1 project.
>

Let's not do that! ;-) Don't weigh your vote for not having had to suffer
through log4j 1 releases, DLLs and all ;-)

Gary


> -ck
>
> On Fri, Dec 24, 2021, at 12:05, Gary Gregory wrote:
> > On Fri, Dec 24, 2021 at 11:47 AM Ralph Goers  >
> > wrote:
> >
> > > As we all know Log4j 1.x reached end of life in August 2015. Log4j
> 1.2.17
> > > was released on May 26, 2012. The last commit was to update the
> > > web site 7 years ago. The changes.xml file shows there were commits up
> to
> > > sometime in 2012, all of which were performed by Gary Gregory
> > > and Christian Grobmeier who ironically both voted no to opening the
> repo
> > > back up.
> >
> >
> > Note that the repo DISCUSS/VOTE thread seemed informal because it did
> > specify the rules for -1/+1: Is a -1 a VETO or does the VOTE follow
> RELEASE
> > rules? This is obviously not a RELEASE though. Sorry to be pedantic, but
> > what Apache rules apply to the previous DISCUSS/VOTE thread?
> >
> > It should be telling, not ironic, that the last two contributors to
> Log4j 1
> > that are still here voted -1, but, if, big if, we (1) move fw the repo
> and
> > (2) then w a release... I'll opine ;-)
> >
> >
> > >
> > >
> > > The point of this history is to point out that the project essentially
> > > died in 2012. We simply acknowledged it in 2015.
> > >
> > > So now we have voted to open the repo. The question then becomes what
> to
> > > do next and going forward. I see several options:
> > >
> >
> > What happens to the new repo Ralph created, will it just be deleted?
> >
> >
> > >
> > > 1. Create a README.md that publishes the projects EOL status and do
> > > nothing else.
> > >
> > Fine with me.
> >
> >
> > > 2. Create a README.md that says the project is EOL and no further big
> > > fixes or enhancements will be made but 1.2.18 was a special
> > > circumstance. Perform ONLY the following work for 1.2.18:
> > > a.  Make the build work with a modern version of Maven.
> > >
> > If we move fw w the repo, this seems like a no-brainer requirement IMO.
> >
> >
> > > b.  Fix the Java version bug.
> > >
> > Not sure what that one is, but If we move fw w the repo, OK.
> >
> > c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
> > >
> > If we move fw w the repo, OK
> >
> >
> > > d.  Fix CVE-2019-17571
> > > The expectation is that the above would address the actual issues
> and
> > > not just remove classes.
> > >
> > If we move fw w the repo, OK.
> >
> >
> > > Do NOT perform a release of any kind.
> > >
> > 3. Option 2 but only perform a source release.
> > > 4. Option 2 but perform a full release.
> > >
> > Seems like the better solution b/w 3 and 4, a source only feels like a
> > tease if not worse.
> >
> >
> > > 5. Option 4 but allow development to continue, including bug fixes and
> > > enhancements.
> > >
> > -1 there. 1.x remains EOL. Focus on 1.2 bridge code in 2.x.
> >
> > Thank you Ralph but putting this list together! :-)
> > Gary
> >
> >
> > >
> > > I personally can see valid reasons to do any of the above.  I have my
> own
> > > opinion on this but I will post that in a reply to this discussion
> kickoff.
> > >
> > > If you have other proposals feel free to state them.
> > >
> > > This discussion will be followed up by a vote thread if necessary.
> > >
> > > Ralph
> > >
> > >
> > >
> >
>

Re: [DISCUSS] The future of Log4j 1.x

[Christian Grobmeier]

On Fri, Dec 24, 2021, at 18:12, Carter Kozak wrote:
>> Sorry to be pedantic, but what Apache rules apply to the previous 
>> DISCUSS/VOTE thread?
>
> There's no need to apologize, the rules exist for a reason!
>
>> It should be telling, not ironic, that the last two contributors to Log4j 1 
>> that are still here voted -1
>
> This is a great point which I hadn't realized myself. For what it's 
> worth, I would consider _my_ vote with much less weight than those who 
> have actually contributed to and maintained the log4j-1 project.

There is no log4j1 or log4j2 community. There is only one ASF Logging 
community, which includes all committers from all the logging projects.

I have contributed to log4j1, but our votes weight the same. You are on the PMC 
because other PMC members trusted you, so do I. I trust you and believe your 
raise opinions to the best of the project.

We had this kind of discussion in our project history: "I had more commits, why 
doesn't it give me more weight in decisions". It almost killed this project 
years ago and led to many frustrations.

I hope I didn't sound like a teacher too much, but working here at that time 
made me very sensitive to this topic, so I had to write this.

Cheers!

>
> -ck
>
> On Fri, Dec 24, 2021, at 12:05, Gary Gregory wrote:
>> On Fri, Dec 24, 2021 at 11:47 AM Ralph Goers 
>> wrote:
>> 
>> > As we all know Log4j 1.x reached end of life in August 2015. Log4j 1.2.17
>> > was released on May 26, 2012. The last commit was to update the
>> > web site 7 years ago. The changes.xml file shows there were commits up to
>> > sometime in 2012, all of which were performed by Gary Gregory
>> > and Christian Grobmeier who ironically both voted no to opening the repo
>> > back up.
>> 
>> 
>> Note that the repo DISCUSS/VOTE thread seemed informal because it did
>> specify the rules for -1/+1: Is a -1 a VETO or does the VOTE follow RELEASE
>> rules? This is obviously not a RELEASE though. Sorry to be pedantic, but
>> what Apache rules apply to the previous DISCUSS/VOTE thread?
>> 
>> It should be telling, not ironic, that the last two contributors to Log4j 1
>> that are still here voted -1, but, if, big if, we (1) move fw the repo and
>> (2) then w a release... I'll opine ;-)
>> 
>> 
>> >
>> >
>> > The point of this history is to point out that the project essentially
>> > died in 2012. We simply acknowledged it in 2015.
>> >
>> > So now we have voted to open the repo. The question then becomes what to
>> > do next and going forward. I see several options:
>> >
>> 
>> What happens to the new repo Ralph created, will it just be deleted?
>> 
>> 
>> >
>> > 1. Create a README.md that publishes the projects EOL status and do
>> > nothing else.
>> >
>> Fine with me.
>> 
>> 
>> > 2. Create a README.md that says the project is EOL and no further big
>> > fixes or enhancements will be made but 1.2.18 was a special
>> > circumstance. Perform ONLY the following work for 1.2.18:
>> > a.  Make the build work with a modern version of Maven.
>> >
>> If we move fw w the repo, this seems like a no-brainer requirement IMO.
>> 
>> 
>> > b.  Fix the Java version bug.
>> >
>> Not sure what that one is, but If we move fw w the repo, OK.
>> 
>> c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
>> >
>> If we move fw w the repo, OK
>> 
>> 
>> > d.  Fix CVE-2019-17571
>> > The expectation is that the above would address the actual issues and
>> > not just remove classes.
>> >
>> If we move fw w the repo, OK.
>> 
>> 
>> > Do NOT perform a release of any kind.
>> >
>> 3. Option 2 but only perform a source release.
>> > 4. Option 2 but perform a full release.
>> >
>> Seems like the better solution b/w 3 and 4, a source only feels like a
>> tease if not worse.
>> 
>> 
>> > 5. Option 4 but allow development to continue, including bug fixes and
>> > enhancements.
>> >
>> -1 there. 1.x remains EOL. Focus on 1.2 bridge code in 2.x.
>> 
>> Thank you Ralph but putting this list together! :-)
>> Gary
>> 
>> 
>> >
>> > I personally can see valid reasons to do any of the above.  I have my own
>> > opinion on this but I will post that in a reply to this discussion kickoff.
>> >
>> > If you have other proposals feel free to state them.
>> >
>> > This discussion will be followed up by a vote thread if necessary.
>> >
>> > Ralph
>> >
>> >
>> >
>>

Re: [DISCUSS] The future of Log4j 1.x

[Carter Kozak]

> Sorry to be pedantic, but what Apache rules apply to the previous 
> DISCUSS/VOTE thread?

There's no need to apologize, the rules exist for a reason!

> It should be telling, not ironic, that the last two contributors to Log4j 1 
> that are still here voted -1

This is a great point which I hadn't realized myself. For what it's worth, I 
would consider _my_ vote with much less weight than those who have actually 
contributed to and maintained the log4j-1 project.

-ck

On Fri, Dec 24, 2021, at 12:05, Gary Gregory wrote:
> On Fri, Dec 24, 2021 at 11:47 AM Ralph Goers 
> wrote:
> 
> > As we all know Log4j 1.x reached end of life in August 2015. Log4j 1.2.17
> > was released on May 26, 2012. The last commit was to update the
> > web site 7 years ago. The changes.xml file shows there were commits up to
> > sometime in 2012, all of which were performed by Gary Gregory
> > and Christian Grobmeier who ironically both voted no to opening the repo
> > back up.
> 
> 
> Note that the repo DISCUSS/VOTE thread seemed informal because it did
> specify the rules for -1/+1: Is a -1 a VETO or does the VOTE follow RELEASE
> rules? This is obviously not a RELEASE though. Sorry to be pedantic, but
> what Apache rules apply to the previous DISCUSS/VOTE thread?
> 
> It should be telling, not ironic, that the last two contributors to Log4j 1
> that are still here voted -1, but, if, big if, we (1) move fw the repo and
> (2) then w a release... I'll opine ;-)
> 
> 
> >
> >
> > The point of this history is to point out that the project essentially
> > died in 2012. We simply acknowledged it in 2015.
> >
> > So now we have voted to open the repo. The question then becomes what to
> > do next and going forward. I see several options:
> >
> 
> What happens to the new repo Ralph created, will it just be deleted?
> 
> 
> >
> > 1. Create a README.md that publishes the projects EOL status and do
> > nothing else.
> >
> Fine with me.
> 
> 
> > 2. Create a README.md that says the project is EOL and no further big
> > fixes or enhancements will be made but 1.2.18 was a special
> > circumstance. Perform ONLY the following work for 1.2.18:
> > a.  Make the build work with a modern version of Maven.
> >
> If we move fw w the repo, this seems like a no-brainer requirement IMO.
> 
> 
> > b.  Fix the Java version bug.
> >
> Not sure what that one is, but If we move fw w the repo, OK.
> 
> c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
> >
> If we move fw w the repo, OK
> 
> 
> > d.  Fix CVE-2019-17571
> > The expectation is that the above would address the actual issues and
> > not just remove classes.
> >
> If we move fw w the repo, OK.
> 
> 
> > Do NOT perform a release of any kind.
> >
> 3. Option 2 but only perform a source release.
> > 4. Option 2 but perform a full release.
> >
> Seems like the better solution b/w 3 and 4, a source only feels like a
> tease if not worse.
> 
> 
> > 5. Option 4 but allow development to continue, including bug fixes and
> > enhancements.
> >
> -1 there. 1.x remains EOL. Focus on 1.2 bridge code in 2.x.
> 
> Thank you Ralph but putting this list together! :-)
> Gary
> 
> 
> >
> > I personally can see valid reasons to do any of the above.  I have my own
> > opinion on this but I will post that in a reply to this discussion kickoff.
> >
> > If you have other proposals feel free to state them.
> >
> > This discussion will be followed up by a vote thread if necessary.
> >
> > Ralph
> >
> >
> >
> 

Re: [DISCUSS] The future of Log4j 1.x

[Gary Gregory]

On Fri, Dec 24, 2021 at 11:47 AM Ralph Goers 
wrote:

> As we all know Log4j 1.x reached end of life in August 2015. Log4j 1.2.17
> was released on May 26, 2012. The last commit was to update the
> web site 7 years ago. The changes.xml file shows there were commits up to
> sometime in 2012, all of which were performed by Gary Gregory
> and Christian Grobmeier who ironically both voted no to opening the repo
> back up.


Note that the repo DISCUSS/VOTE thread seemed informal because it did
specify the rules for -1/+1: Is a -1 a VETO or does the VOTE follow RELEASE
rules? This is obviously not a RELEASE though. Sorry to be pedantic, but
what Apache rules apply to the previous DISCUSS/VOTE thread?

It should be telling, not ironic, that the last two contributors to Log4j 1
that are still here voted -1, but, if, big if, we (1) move fw the repo and
(2) then w a release... I'll opine ;-)


>
>
> The point of this history is to point out that the project essentially
> died in 2012. We simply acknowledged it in 2015.
>
> So now we have voted to open the repo. The question then becomes what to
> do next and going forward. I see several options:
>

What happens to the new repo Ralph created, will it just be deleted?


>
> 1. Create a README.md that publishes the projects EOL status and do
> nothing else.
>
Fine with me.


> 2. Create a README.md that says the project is EOL and no further big
> fixes or enhancements will be made but 1.2.18 was a special
> circumstance. Perform ONLY the following work for 1.2.18:
> a.  Make the build work with a modern version of Maven.
>
If we move fw w the repo, this seems like a no-brainer requirement IMO.


> b.  Fix the Java version bug.
>
Not sure what that one is, but If we move fw w the repo, OK.

c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
>
If we move fw w the repo, OK


> d.  Fix CVE-2019-17571
> The expectation is that the above would address the actual issues and
> not just remove classes.
>
If we move fw w the repo, OK.


> Do NOT perform a release of any kind.
>
3. Option 2 but only perform a source release.
> 4. Option 2 but perform a full release.
>
Seems like the better solution b/w 3 and 4, a source only feels like a
tease if not worse.


> 5. Option 4 but allow development to continue, including bug fixes and
> enhancements.
>
-1 there. 1.x remains EOL. Focus on 1.2 bridge code in 2.x.

Thank you Ralph but putting this list together! :-)
Gary


>
> I personally can see valid reasons to do any of the above.  I have my own
> opinion on this but I will post that in a reply to this discussion kickoff.
>
> If you have other proposals feel free to state them.
>
> This discussion will be followed up by a vote thread if necessary.
>
> Ralph
>
>
>

Re: [DISCUSS] The future of Log4j 1.x

[Carter Kozak]

I would agree directionally with option 1 or option 4.

Making changes without pushing binary artifacts to maven central (options 2 and 
3) is unlikely to do much good for the types of projects which still use 
log4j1. Option 5 is a hard no from me, my time is already too constrained, 
there are better options, and the architecture limits substantive improvements.

-ck

On Fri, Dec 24, 2021, at 11:47, Ralph Goers wrote:
> As we all know Log4j 1.x reached end of life in August 2015. Log4j 1.2.17 was 
> released on May 26, 2012. The last commit was to update the 
> web site 7 years ago. The changes.xml file shows there were commits up to 
> sometime in 2012, all of which were performed by Gary Gregory 
> and Christian Grobmeier who ironically both voted no to opening the repo back 
> up. 
> 
> The point of this history is to point out that the project essentially died 
> in 2012. We simply acknowledged it in 2015.
> 
> So now we have voted to open the repo. The question then becomes what to do 
> next and going forward. I see several options:
> 
> 1. Create a README.md that publishes the projects EOL status and do nothing 
> else.
> 2. Create a README.md that says the project is EOL and no further big fixes 
> or enhancements will be made but 1.2.18 was a special 
> circumstance. Perform ONLY the following work for 1.2.18:
> a.  Make the build work with a modern version of Maven.
> b.  Fix the Java version bug.
> c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
> d.  Fix CVE-2019-17571
> The expectation is that the above would address the actual issues and not 
> just remove classes.
> Do NOT perform a release of any kind.
> 3. Option 2 but only perform a source release.
> 4. Option 2 but perform a full release.
> 5. Option 4 but allow development to continue, including bug fixes and 
> enhancements.
> 
> I personally can see valid reasons to do any of the above.  I have my own 
> opinion on this but I will post that in a reply to this discussion kickoff.
> 
> If you have other proposals feel free to state them.  
> 
> This discussion will be followed up by a vote thread if necessary.
> 
> Ralph
> 
> 
> 

[DISCUSS] The future of Log4j 1.x

[Ralph Goers]

As we all know Log4j 1.x reached end of life in August 2015. Log4j 1.2.17 was 
released on May 26, 2012. The last commit was to update the 
web site 7 years ago. The changes.xml file shows there were commits up to 
sometime in 2012, all of which were performed by Gary Gregory 
and Christian Grobmeier who ironically both voted no to opening the repo back 
up. 

The point of this history is to point out that the project essentially died in 
2012. We simply acknowledged it in 2015.

So now we have voted to open the repo. The question then becomes what to do 
next and going forward. I see several options:

1. Create a README.md that publishes the projects EOL status and do nothing 
else.
2. Create a README.md that says the project is EOL and no further big fixes or 
enhancements will be made but 1.2.18 was a special 
circumstance. Perform ONLY the following work for 1.2.18:
a.  Make the build work with a modern version of Maven.
b.  Fix the Java version bug.
c.  Fix CVE-2021-4104 (expanded to address all JNDI components)
d.  Fix CVE-2019-17571
The expectation is that the above would address the actual issues and not 
just remove classes.
Do NOT perform a release of any kind.
3. Option 2 but only perform a source release.
4. Option 2 but perform a full release.
5. Option 4 but allow development to continue, including bug fixes and 
enhancements.

I personally can see valid reasons to do any of the above.  I have my own 
opinion on this but I will post that in a reply to this discussion kickoff.

If you have other proposals feel free to state them.  

This discussion will be followed up by a vote thread if necessary.

Ralph