[
https://issues.apache.org/jira/browse/HADOOP-16206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17311504#comment-17311504
]
Ahmed Hussein commented on HADOOP-16206:
----------------------------------------
Regarding the concerns that the downstream could use the network classes in
log4j, those classes can be removed from the jar file without affecting Hadoop.
Therefore, Security wise, the effort to migrate is not worthy.
If there is clear evidence of performance gains in log4j2, then this will be
the real motivation to migrate. While I like the idea that the log4j bridge
could reduce the work significantly, I believe that it would be better to fully
move to log4j2. I just think that the bridge may not last long given that it is
not clear how its performance would compare to pure log4j2 implementation and
how long support we get on the long run (i.e., future CVEs, using new
JDKs..etc).
> Migrate from Log4j1 to Log4j2
> -----------------------------
>
> Key: HADOOP-16206
> URL: https://issues.apache.org/jira/browse/HADOOP-16206
> Project: Hadoop Common
> Issue Type: Sub-task
> Affects Versions: 3.3.0
> Reporter: Akira Ajisaka
> Priority: Major
> Attachments: HADOOP-16206-wip.001.patch
>
>
> This sub-task is to remove log4j1 dependency and add log4j2 dependency.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
