[jira] [Comment Edited] (HADOOP-16206) Migrate from Log4j1 to Log4j2

Tue, 30 Mar 2021 06:00:11 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-16206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17311504#comment-17311504
 ] 

Ahmed Hussein edited comment on HADOOP-16206 at 3/30/21, 12:59 PM:
-------------------------------------------------------------------

Regarding the concerns that the downstream could use the network classes in 
log4j, those classes can be removed from the jar file without affecting Hadoop. 
Therefore, Security wise, the effort to migrate is not worthy.

If there is clear evidence of performance gains in log4j2, then this will be 
the real motivation to migrate. While I like the idea that the log4j bridge 
could reduce the work significantly, I believe that it would be better to fully 
move to log4j2. I think that the bridge may not last long given that it is not 
clear how its performance would compare to pure log4j2 implementation and how 
long support we get on the long run (i.e., future CVEs, using new JDKs..etc).



was (Author: ahussein):
Regarding the concerns that the downstream could use the network classes in 
log4j, those classes can be removed from the jar file without affecting Hadoop. 
Therefore, Security wise, the effort to migrate is not worthy.

If there is clear evidence of performance gains in log4j2, then this will be 
the real motivation to migrate. While I like the idea that the log4j bridge 
could reduce the work significantly, I believe that it would be better to fully 
move to log4j2. I just think that the bridge may not last long given that it is 
not clear how its performance would compare to pure log4j2 implementation and 
how long support we get on the long run (i.e., future CVEs, using new 
JDKs..etc).


> Migrate from Log4j1 to Log4j2
> -----------------------------
>
>                 Key: HADOOP-16206
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16206
>             Project: Hadoop Common
>          Issue Type: Sub-task
>    Affects Versions: 3.3.0
>            Reporter: Akira Ajisaka
>            Priority: Major
>         Attachments: HADOOP-16206-wip.001.patch
>
>
> This sub-task is to remove log4j1 dependency and add log4j2 dependency.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to