As to your first point, I think it is a simple consideration: A user’s security department or compliance regulator will ask: “Does this version include log4j with a known CVE?” Why would we provide a release where they have to answer “yes” when we can provide them a release where they can answer “no”? Based on todays knowledge. (And yes I am aware that a user can manually upgrade the jar versions in place after unpacking the tarballs. Nonetheless.)
I disagree that there was a real need to upgrade log4j because 1.x was EOL but I won’t argue that staying with old dependencies is automatically good. It’s done, anyway. The main point I would like to make here is should a good alternative emerge from this mess I am going to look at replacing log4j 2 with it. Or, if log4j decides to accept the inevitable and remove the dangerous substitution/rewrite feature then that would be fine too. > On Dec 18, 2021, at 4:42 PM, 张铎 <palomino...@gmail.com> wrote: > > After 2.15.0, all the problems require you manually put some special > markers in the pattern layout in your configuration file, so it is already > less hurt, we do not have something like %m{lookup} in the pattern layout > by default. > > Anyway, since we haven’t released 3.0.0-alpha-2 yet, let’s upgrade to the > newest version. > > But stay on log4j1 should not be considered as a solution. Log4j1 is > already dead long ago and it has several CVEs where no one wants to fix > them, and our statement was just ‘do not use the feature’. That’s why we > want to migrate to log4j2. Every project may have CVEs, so I think whether > there are still enough people who are still maintaining the project is the > most important thing. Log4j2 is already the most active logging framework, > another option is logback, but there were no releases for nearly 4 years > before 2021… > > Thanks. Let me upgrade the log4j2 to 2.17.0 and send out RC2. > > Andrew Purtell <apurt...@apache.org>于2021年12月19日 周日05:25写道: > >> Apologies, I managed to hit the send button before finishing. My veto can >> be cured by upgrading Log4J to ** 2.17.0 ** . See >> https://logging.apache.org/log4j/2.x/security.html. >> >>> On Sat, Dec 18, 2021 at 1:22 PM Andrew Purtell <apurt...@apache.org> >>> wrote: >>> >>> -1 (binding) >>> >>> The Log4J issues are not fixed by 2.15. >>> >>> I wish we had remained on Log4J 1. Hadoop 3 is still on 1, although I >> know >>> they have plans to upgrade. It does not seem advisable to use Log4J 2 at >>> all actually. Another option that does not include such a dangerous >>> reference/rewrite mechanism might be preferable. >>> >>>> On Sat, Dec 18, 2021 at 12:02 PM Josh Elser <els...@apache.org> wrote: >>> >>>> +1 (binding) >>>> >>>> * Xsums/sigs good >>>> * Can build from source >>>> * Log4j 2.15 is included (more on this in the below) >>>> * log4j2.formatMsgNoLookups=true is set (multiple times per process, but >>>> properly set) >>>> * hbase-config.sh issue is fixed over rc1 >>>> >>>> Best as I've been able to keep up, it seems like we should already >>>> upgrade to log4j 2.16 due to issues in 2.15. There are alos rumblings >>>> that 2.16 may have issues still. It's my opinion that the changes we >>>> have here in rc2 are a massive improvement over before. I think this is >>>> fine; I just wanted to acknowledge that we may still need to update >>>> again real soon. >>>> >>>> Thanks for your release manager work, Duo! >>>> >>>> On 12/14/21 9:06 AM, Duo Zhang wrote: >>>>> Please vote on this Apache hbase release candidate, >>>>> hbase-3.0.0-alpha-2RC1 >>>>> >>>>> The VOTE will remain open for at least 72 hours. >>>>> >>>>> [ ] +1 Release this package as Apache hbase 3.0.0-alpha-2 >>>>> [ ] -1 Do not release this package because ... >>>>> >>>>> The tag to be voted on is 3.0.0-alpha-2RC1: >>>>> >>>>> https://github.com/apache/hbase/tree/3.0.0-alpha-2RC1 >>>>> >>>>> This tag currently points to git reference >>>>> >>>>> a3ff8e4c812eefab6ad32af45ca449a1395a6510 >>>>> >>>>> The release files, including signatures, digests, as well as >> CHANGES.md >>>>> and RELEASENOTES.md included in this RC can be found at: >>>>> >>>>> https://dist.apache.org/repos/dist/dev/hbase/3.0.0-alpha-2RC1/ >>>>> >>>>> Maven artifacts are available in a staging repository at: >>>>> >>>>> >>>> https://repository.apache.org/content/repositories/orgapachehbase-1473/ >>>>> >>>>> Artifacts were signed with the 9AD2AE49 key which can be found in: >>>>> >>>>> https://downloads.apache.org/hbase/KEYS >>>>> >>>>> 3.0.0-alpha-2 is the second alpha release for our 3.0.0 major release >>>> line. >>>>> HBase 3.0.0 includes the following big feature/changes: >>>>> Synchronous Replication >>>>> OpenTelemetry Tracing >>>>> Distributed MOB Compaction >>>>> Backup and Restore >>>>> Move RSGroup balancer to core >>>>> Reimplement sync client on async client >>>>> CPEPs on shaded proto >>>>> Move the logging framework from log4j to log4j2 >>>>> >>>>> 3.0.0-alpha-2 contains a critical security fix for addressing the >> log4j2 >>>>> CVE-2021-44228. All users who already use 3.0.0-alpha-1 should upgrade >>>>> to 3.0.0-alpha-2 ASAP. >>>>> >>>>> Notice that this is not a production ready release. It is used to let >>>> our >>>>> users try and test the new major release, to get feedback before the >>>> final >>>>> GA release is out. >>>>> So please do NOT use it in production. Just try it and report back >>>>> everything you find unusual. >>>>> >>>>> And this time we will not include CHANGES.md and RELEASENOTE.md >>>>> in our source code, you can find it on the download site. For getting >>>> these >>>>> two files for old releases, please go to >>>>> >>>>> https://archive.apache.org/dist/hbase/ >>>>> >>>>> To learn more about Apache hbase, please see >>>>> >>>>> http://hbase.apache.org/ >>>>> >>>>> Thanks, >>>>> Your HBase Release Manager >>>>> >>>> >>> >>> >>> -- >>> Best regards, >>> Andrew >>> >>> Words like orphans lost among the crosstalk, meaning torn from truth's >>> decrepit hands >>> - A23, Crosstalk >>> >> >> >> -- >> Best regards, >> Andrew >> >> Words like orphans lost among the crosstalk, meaning torn from truth's >> decrepit hands >> - A23, Crosstalk >>