This is an automated email from the ASF dual-hosted git repository. vy pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
commit 9651905cbefbc2a92c6b98ff41bc60e4959b1aff Author: Volkan Yazıcı <[email protected]> AuthorDate: Tue Nov 28 11:57:34 2023 +0100 Improve auxiliary support files --- BUILDING.md | 1 - CODE_OF_CONDUCT.md | 2 +- NOTICE.txt | 3 -- RELEASE-NOTES.adoc | 98 ---------------------------------- CODE_OF_CONDUCT.md => RELEASE-NOTES.md | 3 +- SECURITY.md | 25 +++++---- 6 files changed, 18 insertions(+), 114 deletions(-) diff --git a/BUILDING.md b/BUILDING.md index b7e8ead10f..1223bda341 100644 --- a/BUILDING.md +++ b/BUILDING.md @@ -18,7 +18,6 @@ # Requirements * JDK 11+ -* Apache Maven 3.x (optional) * A modern Linux, OSX, or Windows host <a name="building"></a> diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 3ed501501d..e13878a151 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -14,4 +14,4 @@ See the License for the specific language governing permissions and limitations under the License. --> -The Apache code of conduct page is [https://www.apache.org/foundation/policies/conduct.html](https://www.apache.org/foundation/policies/conduct.html). +See [the Apache Software Foundation's Code of Conduct](https://www.apache.org/foundation/policies/conduct.html). diff --git a/NOTICE.txt b/NOTICE.txt index bdf985e45c..e51fe310c8 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -4,9 +4,6 @@ Copyright 1999-2023 Apache Software Foundation This product includes software developed at The Apache Software Foundation (http://www.apache.org/). -ResolverUtil.java -Copyright 2005-2006 Tim Fennell - TypeUtil.java Copyright 2002-2012 Ramnivas Laddad, Juergen Hoeller, Chris Beams diff --git a/RELEASE-NOTES.adoc b/RELEASE-NOTES.adoc deleted file mode 100644 index 0166af7e81..0000000000 --- a/RELEASE-NOTES.adoc +++ /dev/null @@ -1,98 +0,0 @@ -//// -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - https://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -//// - -= 3.0.0 (2023-06-17) - -As the Java ecosystem has evolved, requests have been received from users, and the need for improved security has -become more apparent, changes were necessariy in Log4j's design: - -* With the introduction of the Java Platform Module System (JPMS) changes were needed to how the various log4j modules -are packaged. While not every log4j module is now a fully compliant JPMS module with its own module-info.java file, -all the modules likely to be used in a JPMS environment are. -* Many optional components, such as Scripting, JNDI, JPA and JMS, have been moved to their own modules. This makes -Log4j-core slightly smaller in 3.x and aids in security by not having jars with unwanted behaviors present, making -disabling them via system properties unnecessary. -* All plugins constructed using Log4j 3.x are now located using Java's ServiceLoader. This avoids many of the problems -users had packaging plugins in "shaded" jars as that technology directly supports ServiceLoader. Plugins constructed -using Log4j 2.x will still function in Log4j 3.x. -* Log4j's annotation processor has been individually packaged separate from Log4j-core and the plugin system it enables. -For applications using the module path this makes it easier to provide the annotation processor since it must be -explicitly declared in those cases. -* Log4j 3.x now uses an internal dependency injection framework to allow plugins to be injected with instances of -classes they are dependent on. -* Many system properties used by Log4j can now be set to apply to a single LoggerContext making configuration -in application frameworks that support multiple applications more flexible. -* Some deprecated classes have been removed. However, every attempt has been made to ensure that user code compiled -for Log4j 2.x will continue to operate with the Log4j 3.x libraries present instead. - -== Changes - -=== Added - -* Allow plugins to be created through more flexible dependency injection patterns. (for https://issues.apache.org/jira/browse/LOG4J2-1188[LOG4J2-1188] by Matt Sicker) -* Allow to force LOG4J2 to use TCCL only. (for https://issues.apache.org/jira/browse/LOG4J2-2171[LOG4J2-2171] by `rmannibucau`, Ralph Goers) -* Allow web lookup to access more information. (for https://issues.apache.org/jira/browse/LOG4J2-2523[LOG4J2-2523] by Romain Manni-Bucau, Ralph Goers) -* Allow web lookup of session attributes. (for https://issues.apache.org/jira/browse/LOG4J2-2688[LOG4J2-2688] by Ralph Goers, Romain Manni-Bucau) -* Add support for injecting plugin configuration via builder methods. (for https://issues.apache.org/jira/browse/LOG4J2-2700[LOG4J2-2700] by Matt Sicker) -* Add scopes API for customizing plugin instance lifecycle. (for https://issues.apache.org/jira/browse/LOG4J2-2852[LOG4J2-2852] by Matt Sicker) -* Add qualifier annotations for distinguishing instances of the same type. (for https://issues.apache.org/jira/browse/LOG4J2-2853[LOG4J2-2853] by Matt Sicker) -* Create standardized dependency injection API. This is supported in several plugin categories and other configurable instances previously defined via system properties. (for https://issues.apache.org/jira/browse/LOG4J2-2854[LOG4J2-2854] by Matt Sicker) -* Add conditional annotations to support more declarative binding factory bundle classes. (for https://issues.apache.org/jira/browse/LOG4J2-3300[LOG4J2-3300] by Matt Sicker) -* Add built-in JSON configuration parser for a useful structured configuration file format which only requires the `java.base` module. (for https://issues.apache.org/jira/browse/LOG4J2-3415[LOG4J2-3415] by Matt Sicker) -* Add `@Ordered` annotation to support plugin ordering when two or more plugins within the same category have the same case-insensitive name. (for https://issues.apache.org/jira/browse/LOG4J2-857[LOG4J2-857] by Matt Sicker) - -=== Changed - -* Simplify Maven `site` phase and align it with the one in `2.x` branch. (for https://github.com/apache/logging-log4j2/pull/1220[1220] by Volkan Yazıcı) -* Update build to use Java 11 bytecode. (for https://github.com/apache/logging-log4j2/pull/480[480] by Ralph Goers) -* Convert documentation into AsciiDoc format. (for https://issues.apache.org/jira/browse/LOG4J2-1802[LOG4J2-1802] by Matt Sicker) -* Rename package `core.util.datetime` to `core.time.internal.format` to clarify these classes are to be considered private. (for https://issues.apache.org/jira/browse/LOG4J2-2224[LOG4J2-2224] by Remko Popma) -* Move time-related classes from `core.util` to `core.time`. Classes considered private moved to `core.time.internal`. (for https://issues.apache.org/jira/browse/LOG4J2-2225[LOG4J2-2225] by Remko Popma) -* Split off Kafka support into a new module `log4j-kafka`. (for https://issues.apache.org/jira/browse/LOG4J2-2227[LOG4J2-2227] by Gary Gregory) -* Split off ZeroMq/JeroMq support into a new module `log4j-jeromq`. (for https://issues.apache.org/jira/browse/LOG4J2-2228[LOG4J2-2228] by Gary Gregory) -* Split off SMTP support into a new module `log4j-smtp`. (for https://issues.apache.org/jira/browse/LOG4J2-2230[LOG4J2-2230] by Gary Gregory) -* Split off CSV layout into a new module `log4j-csv`. (for https://issues.apache.org/jira/browse/LOG4J2-2231[LOG4J2-2231] by Gary Gregory) -* Split off JMS support into a new module `log4j-jms`. (for https://issues.apache.org/jira/browse/LOG4J2-2232[LOG4J2-2232] by Gary Gregory) -* Split off JDBC support into a new module `log4j-jdbc`. (for https://issues.apache.org/jira/browse/LOG4J2-2233[LOG4J2-2233] by Gary Gregory) -* Split off Jackson-based layouts into their own modules: `log4j-layout-jackson-json`, `log4j-layout-jackson-xml` and `log4j-layout-jackson-yaml`. (for https://issues.apache.org/jira/browse/LOG4J2-2237[LOG4J2-2237] by Gary Gregory) -* Update builder methods from the "with" prefix to the "set" prefix. (for https://issues.apache.org/jira/browse/LOG4J2-2492[LOG4J2-2492] by Gary Gregory) -* Remove deprecated code. (for https://issues.apache.org/jira/browse/LOG4J2-2493[LOG4J2-2493] by Gary Gregory) -* Fix typo in method `MergeStrategy.mergeConfigurations`. (for https://issues.apache.org/jira/browse/LOG4J2-2617[LOG4J2-2617] by Matt Sicker) -* Separate plugin support to its own module. Plugin annotation processor will now generate a Java source file compatible with java.util.ServiceLoader instead of a binary file. (for https://issues.apache.org/jira/browse/LOG4J2-2621[LOG4J2-2621] by Ralph Goers) -* Rename `PluginVisitor` and related classes to `ConfigurationInjectionBuilder`. (for https://issues.apache.org/jira/browse/LOG4J2-2683[LOG4J2-2683] by Matt Sicker) -* Locate plugins in modules. (for https://issues.apache.org/jira/browse/LOG4J2-2690[LOG4J2-2690] by Ralph Goers) -* Split off JNDI support into a new module `log4j-jndi`. (for https://issues.apache.org/jira/browse/LOG4J2-3242[LOG4J2-3242] by Ralph Goers) -* Split off scripting support into a new module `log4j-script`. (for https://issues.apache.org/jira/browse/LOG4J2-3307[LOG4J2-3307] by Ralph Goers) -* Defer loading of `StrLookup` plugin classes until first usage. (for https://issues.apache.org/jira/browse/LOG4J2-3441[LOG4J2-3441] by Matt Sicker) -* Flatten the `ThreadContextMap` interfaces with default methods. (for https://issues.apache.org/jira/browse/LOG4J2-3626[LOG4J2-3626] by Matt Sicker) -* Allow Log4j properties to be provided in JSON files. (for https://issues.apache.org/jira/browse/LOG4J2-3658[LOG4J2-3658] by Ralph Goers) -* Unify plugin builders and plugin factories. (for https://issues.apache.org/jira/browse/LOG4J2-860[LOG4J2-860] by Matt Sicker) -* Update Conversant Disruptor from 1.12.15 to 1.12.21. The new version requires Java 11. (for https://issues.apache.org/jira/browse/LOG4J2-2079[LOG4J2-2079] by Ralph Goers, Volkan Yazıcı) - -=== Removed - -* Remove support for `java.io.Serializable` in several classes including `Message`, `Layout`, `LogEvent`, `Logger`, and `ReadOnlyStringMap`. (for https://issues.apache.org/jira/browse/LOG4J2-3228[LOG4J2-3228] by Matt Sicker) - -=== Fixed - -* `EnvironmentLookup` may throw NPE. (for https://issues.apache.org/jira/browse/LOG4J2-2244[LOG4J2-2244] by Gary Gregory) -* Move `ProcessIdUtil` from `log4j-api` to `log4j-core`. (for https://issues.apache.org/jira/browse/LOG4J2-2279[LOG4J2-2279] by Gary Gregory, Remko Popma) -* `FixedDateFormat` parses timezone offsets, -8:00 is interpreted as GMT-8:00. (for https://issues.apache.org/jira/browse/LOG4J2-2306[LOG4J2-2306] by Carter Kozak) -* `RoutingAppender.Builder#setPurgePolicy` fluently returns the builder instance. (for https://issues.apache.org/jira/browse/LOG4J2-2545[LOG4J2-2545] by Carter Kozak) -* Reduce Log4j 2 initialization time by deferring loading Plugin classes. (for https://issues.apache.org/jira/browse/LOG4J2-2795[LOG4J2-2795] by Ralph Goers) -* Fixes incorrect constructor call in `LocalizedMessageFactory`. (for https://issues.apache.org/jira/browse/LOG4J2-2850[LOG4J2-2850] by Volkan Yazıcı, sandeepbarnwal) -* Fix file descriptor leak on Tomcat. (for https://issues.apache.org/jira/browse/LOG4J2-3663[LOG4J2-3663] by `lenoch7`, Piotr P. Karwasz) diff --git a/CODE_OF_CONDUCT.md b/RELEASE-NOTES.md similarity index 83% copy from CODE_OF_CONDUCT.md copy to RELEASE-NOTES.md index 3ed501501d..bba82bc6af 100644 --- a/CODE_OF_CONDUCT.md +++ b/RELEASE-NOTES.md @@ -14,4 +14,5 @@ See the License for the specific language governing permissions and limitations under the License. --> -The Apache code of conduct page is [https://www.apache.org/foundation/policies/conduct.html](https://www.apache.org/foundation/policies/conduct.html). + +See [the Release Notes page](https://logging.apache.org/log4j/3.x/release-notes.html). diff --git a/SECURITY.md b/SECURITY.md index faece48db7..9465922ed5 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,13 +1,18 @@ -# Security Policy +<!--- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at -## Supported Versions + http://www.apache.org/licenses/LICENSE-2.0 -Only the most recent release of Apache Log4j 2 is supported. + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> -## Reporting a Vulnerability - -If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, please report them privately to the [Log4j Security Team](mailto:[email protected]). - -## Past Vulnerabilities - -See [Apache Log4j Security Vulnerabilities](https://logging.apache.org/log4j/2.x/security.html). +See [the Security page](https://logging.apache.org/log4j/3.x/security.html).
