> What's the difference between cutting a new release right after the > release and just postponing this release (again) to include this log4j > version? > I'd rather have a 4.3.4 accepted by our consumers instead of everyone just > waiting for the 4.3.5 ;)
(just my 2cts and experience feedback about willing a perfect release) Consumers waiting for something unrelated to log4j2 can adopt it 1 week before ;), and as JB said, there is no security enhancement in 2.16 - and some other parts of the JVM/libs are way more dangerous :p - so guess it is better to release and move forward than keeping postponing which can delay for more than 1 month the adoption (keep in mind we are in the last work week in a lot of country since Xmas is coming ;)). Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <https://rmannibucau.metawerx.net/> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book <https://www.packtpub.com/application-development/java-ee-8-high-performance> Le mar. 14 déc. 2021 à 10:26, Jean-Baptiste Onofré <j...@nanthrax.net> a écrit : > OK, so, let me prepare Pax Logging 2.0.12 then and cancel this vote to > include this new Pax Logging version. > > Regards > JB > > On 14/12/2021 10:20, Achim Nierbeck wrote: > > tbh. What's the difference between cutting a new release right after the > > release and just postponing this release (again) to include this log4j > > version? > > I'd rather have a 4.3.4 accepted by our consumers instead of everyone > just > > waiting for the 4.3.5 ;) > > > > my 2 cents :) > > > > regards, Achim > > > > > > Am Di., 14. Dez. 2021 um 10:09 Uhr schrieb Jean-Baptiste Onofré < > > j...@nanthrax.net>: > > > >> There's no big change between log4j 2.15 and 2.16 (in term of CVE). So, > >> I would leave this vote running, and prepare Pax Logging/Karaf new > >> release after (pretty soon). > >> > >> Regards > >> JB > >> > >> On 14/12/2021 09:30, Bernd Eckenfels wrote: > >>> If you have any reason to delay it some more, a new pax logging with > >> log4j 2.0.16 should be close by ,) Log4j finally disabled JNDI and > removed > >> the lookup code. Otherwise another minor release would also be an > option. > >>> -- > >>> http://bernd.eckenfels.net > >>> ________________________________ > >>> Von: Francois Papon <francois.pa...@openobject.fr> > >>> Gesendet: Tuesday, December 14, 2021 8:49:24 AM > >>> An: dev@karaf.apache.org <dev@karaf.apache.org> > >>> Betreff: Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2) > >>> > >>> +1 (binding) > >>> > >>> Thanks JB! > >>> > >>> regards, > >>> > >>> Francois > >>> > >>> On 13/12/2021 16:24, Jean-Baptiste Onofré wrote: > >>>> Hi everyone, > >>>> > >>>> I submit Apache Karaf runtime 4.3.4 to your vote (take #2). > >>>> > >>>> This release includes dependency upgrades, fixes, and improvements, > >>>> especially: > >>>> > >>>> - upgrade to Pax Logging 2.0.11, upgrading to log4j2 2.0.15, fixing > >>>> important security issue (CVE-2021-44228) > >>>> - align dependencies versions between Karaf and Pax * > >>>> - fix missing system export packages > >>>> - fix on Karaf features json support > >>>> - fix features autoRefresh configuration handling > >>>> - fix on sshd session handling > >>>> - update to sshd 2.8.0 > >>>> - lot of pax * updates > >>>> - and much more ! > >>>> > >>>> Please take a look on Release Notes for details ! > >>>> > >>>> Release Notes: > >>>> > >> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547 > >>>> > >>>> > >>>> Staging Maven Repository: > >>>> > https://repository.apache.org/content/repositories/orgapachekaraf-1164/ > >>>> > >>>> Staging Dist Repository: > >>>> https://dist.apache.org/repos/dist/dev/karaf/4.3.4/ > >>>> > >>>> Git tag: > >>>> karaf-4.3.4 > >>>> > >>>> Please vote to approve this release: > >>>> > >>>> [ ] +1 Approve the release > >>>> [ ] -1 Don't approve the release (please provide specific comments) > >>>> > >>>> This vote will be open for at least 72 hours. > >>>> > >>>> Regards > >>>> JB > >>> > >> > > > > >
