Thanks for bring up policy Ralph. For me, a new Log4j 1 release would have to patch a pretty catastrophic security vulnerability.
As Ralph pointed out, the first thing I would do is migrate to Log4j 2 and it's support for 1.x. Gary On Sun, Dec 15, 2019 at 4:13 PM Ralph Goers <[email protected]> wrote: > While Gary is correct that we wouldn’t want to discuss a specific security > vulnerability in public we can discuss the policy here. > > For a number of reasons I would say the answer is “No”: > It gives the impress that Log4j 1.x is not End-of-Life and that future > enhancements and bug fixes could be accepted. > We provide alternatives so that Log4j 1.x itself is not necessary. If > features are missing in Log4j 2’s log4j 1.x binding then we would consider > fixing those. > None of the current committers has probably built Log4j 1 in the last 5 > years, much less attempted to perform a release. > Log4j 1.x supported an ancient version of the JDK (1.2?). I am not even > sure if that is possible any more. The oldest version I have installed is > 1.7. I would have no idea how to validate that it was still compatible. > > Ralph > > > On Dec 15, 2019, at 7:25 AM, Gary Gregory <[email protected]> > wrote: > > > > Security issues should not be discussed in public for obvious reasons. > > Please see https://www.apache.org/security/ > > > > Gary > > > > > > On Sun, Dec 15, 2019 at 7:01 AM Andrew Marlow <[email protected]> > > wrote: > > > >> Hello everyone, > >> > >> I know that log4j-v1 was announced as end of life back in 2015 and that > all > >> effort is on log4j2. However, I would very much like to see a new > version, > >> presumably it would be called 1.2.18, which addresses a security > >> vulnerability. Is this right place to discuss this please? > >> > >> -- > >> Regards, > >> > >> Andrew Marlow > >> http://www.andrewpetermarlow.co.uk > >> > >
