Has anyone asked the ASF Logging PMC if they'll forward security reports against log4j 1 to the reload4j project?
On Fri, Jan 21, 2022 at 3:33 AM Pankaj Kumar <pankajku...@apache.org> wrote: > +1 for reload4j. > > Regards, > Pankaj > > On Fri, Jan 21, 2022, 2:39 PM 张铎(Duo Zhang) <palomino...@gmail.com> wrote: > > > Already filed HBASE-26691. > > > > Wei-Chiu Chuang <weic...@apache.org> 于2022年1月21日周五 16:53写道: > > > > > +1 I am doing the same in Hadoop. > > > > > > On Fri, Jan 21, 2022 at 4:51 PM Viraj Jasani <vjas...@apache.org> > wrote: > > > > > > > +1 for Reload4J migration in active release branches. > > > > > > > > > > > > On Fri, 21 Jan 2022 at 12:52 PM, Andrew Purtell < > > > andrew.purt...@gmail.com> > > > > wrote: > > > > > > > > > +1 for migrating to Reload4J. It is binary and configuration > > compatible > > > > > with log4j 1 so meets our compatibility guidelines. > > > > > > > > > > If this is an agreeable plan I can make the changes in a PR and we > > can > > > do > > > > > a round of new releases. > > > > > > > > > > > On Jan 20, 2022, at 10:16 PM, Duo Zhang <zhang...@apache.org> > > wrote: > > > > > > > > > > > > On master we have already migrated to log4j2, but for all other > > > > release > > > > > > lines we are still on log4j1. > > > > > > > > > > > > Recently there are several new CVEs for log4j1, so I think we > > should > > > > also > > > > > > address them for release lines other than master. > > > > > > > > > > > > One possible solution is to also migrate log4j2 but use log4j12 > > > bridge > > > > to > > > > > > maintain the compatibility, but we have already known that > log4j12 > > > > bridge > > > > > > can not work perfectly with hadoop, as hadoop has some customized > > > > log4j1 > > > > > > appender implementations, which inherit some log4j1 appenders > which > > > are > > > > > not > > > > > > part of the log4j12 bridge. > > > > > > > > > > > > Reload4j is a fork of the log4j1 and has fixed the critical CVEs, > > so > > > it > > > > > is > > > > > > less hurt to replace log4j with reload4j. > > > > > > > > > > > > Suggestions are welcomed. > > > > > > > > > > > > Thanks. Regards > > > > > > > > > > > > > > >
