I see, [1] introduces the reason that reload4j is born. As it is just a modification in pom file and the project is forked from log4j 1.2.17, I think it is fine.
BTW, I feel very very confusing why log4j community ends the life of log4j 1 (and in the same time the initial author of log4j 1 forks an independent project...) [1] https://reload4j.qos.ch/ ----------------------------------- Xiangdong Huang School of Software, Tsinghua University 黄向东 清华大学 软件学院 HW-Chao Wang <576749...@qq.com.invalid> 于2022年5月24日周二 17:24写道: > Because of the large amount of changes, the configuration file and import > of each class have to change. > > > > > ---Original--- > From: "Xiangdong Huang"<saint...@gmail.com> > Date: Tue, May 24, 2022 17:17 PM > To: "dev"<dev@iotdb.apache.org>; > Subject: Re: replacing log4j > > > Hi, I wonder why not log4j2? any comparison in other communities? > ----------------------------------- > Xiangdong Huang > School of Software, Tsinghua University > > 黄向东 > 清华大学 软件学院 > > > HW-Chao Wang <576749...@qq.com.invalid> 于2022年5月24日周二 16:23写道: > > > hi all , > > We need to consider replacing log4j1, because log4j1 is EOM and has > some > > CVE vulnerabilities. Reload 4J is used to replace it. Other open > source > > communities have been replaced. Refer to hbase-26691. > > Thanks&nbsp;