Okay. Would it be a good idea to retain support for the %m{nolookups}
configuration format?
(Silently accept and ignore it.)
When the configuration contains %m{lookups}, it may be good to print a WARN
message to the status logger that this setting will be ignored.
> On Dec 13, 2021, at 12:24, Ralph Goers <ralph.go...@dslextreme.com> wrote:
> I have just put up a PR. Please review it. Either Matt or I can cut a
> 2.16.0. I don’t see the point of 2.15.1 if we are going to do this.
>
> Ralph
>
>> On Dec 12, 2021, at 7:49 PM, Gary Gregory <garydgreg...@gmail.com> wrote:
>>
>> I like RERO but 3 releases in a week is a lot even for me :-)
>>
>> Gary
>>
>>> On Sun, Dec 12, 2021 at 9:41 PM Remko Popma <remko.po...@gmail.com> wrote:
>>> It seems that Ralph has already started to work on a PR to remove message
>>> lookups altogether from 2.x.
>>> I have come around to Volkan’s point that we don’t want to ask users to
>>> upgrade Log4j every week.
>>> So it maybe better to cancel the 2.15.1 release and have a dedicated
>>> security release 2.16.0 with just the JNDI change and removing message
>>> lookups altogether.
>>> Does anyone have a strong desire to release 2.15.1 with just the JNDI
>>> change?
>>>> On Dec 13, 2021, at 11:06, Gary Gregory <garydgreg...@gmail.com> wrote:
>>>> Should we proceed with 2.15.1 or cancel it and go to 2.16.0 straight
>>> away?
>>>> Gary
>>>>> On Sun, Dec 12, 2021, 20:40 Remko Popma <remko.po...@gmail.com> wrote:
>>>>> I am also okay with removing Message Lookups from 2.x.
>>>>> A release with that change should be called 2.16.0 though, not 2.15.1 or
>>>>> 2.15.2.
>>>>> Also it makes sense to *only* have that security change (removing
>>> Message
>>>>> Lookups) in such a 2.16.0 release and not add other features.
>>>>> This will reduce the testing burden for people looking to upgrade.
>>>>> On Mon, Dec 13, 2021 at 8:12 Ralph Goers <ralph.go...@dslextreme.com>
>>>>> wrote:
>>>>>> Volkan,
>>>>>> While ASF rules say a -1 vote is not a veto for all practical purposes
>>>>> the
>>>>>> release manager is going to consider it a blocker.
>>>>>> A release that removes JNDI will prevent people from inadvertently
>>> using
>>>>>> the JNDI Lookup, JMS, or JndiContextSelector
>>>>>> without understanding the security risk using them. Message Lookups
>>> are a
>>>>>> different problem. We are not disabling JNDI
>>>>>> so people can re-enable message lookups. That would be crazy. We are
>>>>>> disabling JNDI because, despite all the fixes we
>>>>>> have made, I still don’t trust it.
>>>>>> We have all agreed Message Lookups need to be killed in master. If we
>>> are
>>>>>> all in agreement to kill them now in 2.x I’m
>>>>>> fine with that but the two are separate issues.
>>>>>> If you are OK with the release than your vote should be anything but
>>> -1.
>>>>>> If you really feel it needs a -1 then we need to see
>>>>>> if we are all ok completely removing the option to re-enable message
>>>>>> lookups. I would completely understand if that is what
>>>>>> you want and I would support that so please don’t feel pressured to
>>> give
>>>>>> in.
>>>>>> Ralph
>>>>>>> On Dec 12, 2021, at 2:08 PM, Volkan Yazıcı <vol...@yazi.ci> wrote:
>>>>>>> You don't need my vote. As far as I count, you already have more than
>>>>> 3.
>>>>>>> I can imagine Ralph and the rest have worked sleeplessly for days.
>>>>> Hence
>>>>>> if
>>>>>>> they think disabling JNDI buys us a benefit, so be it.
>>>>>>> If not millions, tens of thousands of people tried to upgrade Log4j to
>>>>>>> 2.15.0 recently. A release where JNDI lookup disabled will only adress
>>>>>>> people who still (astonishingly!) want to use "message lookups" –
>>>>> correct
>>>>>>> me if I'm wrong. Hence, I think in its current form, 2.15.1 will bring
>>>>>> more
>>>>>>> confusion than benefit to the general audience. I think the fix to the
>>>>>>> vulnerability is to disable message lookups, not patches to the JNDI
>>>>>>> lookup. I want to believe that users get this fact right and have
>>>>> already
>>>>>>> disabled it. We need to be really careful with our next release. We
>>>>> can't
>>>>>>> expect people to upgrade once a week. Putting aside the damage it does
>>>>> to
>>>>>>> the reputation of the project.
>>>>>>> On Sun, Dec 12, 2021 at 9:47 PM Remko Popma <remko.po...@gmail.com>
>>>>>> wrote:
>>>>>>>> First, is this really a blocker for 2.15.1?
>>>>>>>> I think it is prudent to do urgent releases soon.
>>>>>>>> This JNDI change (LOG4J2-3208
>>>>>>>> <https://issues.apache.org/jira/browse/LOG4J2-3208>) feels urgent
>>>>>> enough
>>>>>>>> to
>>>>>>>> warrant another shortened vote window.
>>>>>>>> A larger change like removing message lookups should not be rushed
>>> out
>>>>>> like
>>>>>>>> this, it needs review time.
>>>>>>>> Second, do we really want to do this? Are we not overreacting?
>>>>>>>> Would it not be better to remove lookups in message parameters only?
>>>>>>>> (In implementation terms, resolve all lookups *before* interpolating
>>>>> the
>>>>>>>> message parameters?)
>>>>>>>> Also, let me state the obvious, lookups *in configuration* are
>>>>>> tremendously
>>>>>>>> useful and should not be removed.
>>>>>>>> This may be obvious to some of us, but I just want to make sure there
>>>>>> is no
>>>>>>>> confusion about that (because I personally was confused about this at
>>>>>> some
>>>>>>>> point). :-)
>>>>>>>> Finally, if we decide to do this, should a change like this be in a
>>>>>>>> point/bugfix release (2.15.1) or should it be a separate minor
>>> release
>>>>>> like
>>>>>>>> 2.16.0?
>>>>>>>> On Mon, Dec 13, 2021 at 5:10 AM Remko Popma <remko.po...@gmail.com>
>>>>>> wrote:
>>>>>>>>> Shall we discuss this first please?
>>>>>>>>> On Mon, Dec 13, 2021 at 5:10 AM Matt Sicker <boa...@gmail.com>
>>>>> wrote:
>>>>>>>>>> If you can handle that change, I can roll a new release candidate.
>>>>>>>>>> Matt Sicker
>>>>>>>>>>> On Dec 12, 2021, at 14:07, Volkan Yazıcı <vol...@yazi.ci> wrote:
>>>>>>>>>>> I know. I want them to be removed, not disabled.
>>>>>>>>>>>> On Sun, Dec 12, 2021 at 9:01 PM Matt Sicker <boa...@gmail.com>
>>>>>>>> wrote:
>>>>>>>>>>>> Those were already disabled in 2.15.0.
>>>>>>>>>>>> Matt Sicker
>>>>>>>>>>>>>> On Dec 12, 2021, at 13:41, Volkan Yazıcı <vol...@yazi.ci>
>>>>> wrote:
>>>>>>>>>>>>> I very well recognize your heroic effort on tackling this issue
>>>>>> and
>>>>>>>>>> I am
>>>>>>>>>>>>> very thankful for that.
>>>>>>>>>>>>> I vote -1, because I want message (not configuration!) lookups
>>> to
>>>>>> be
>>>>>>>>>>>>> removed.
>>>>>>>>>>>>> Message lookups create a vast attack surface. Anything they
>>> offer
>>>>>>>> can
>>>>>>>>>>>>> simply be implemented by the user.
>>>>>>>>>>>>>> On Sun, Dec 12, 2021 at 4:48 AM Matt Sicker <boa...@gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>>>>> This is a vote to release Log4j 2.15.1, the next version of the
>>>>>>>>>> Log4j 2
>>>>>>>>>>>>>> project.
>>>>>>>>>>>>>> Please download, test, and cast your votes on the log4j
>>>>> developers
>>>>>>>>>> list.
>>>>>>>>>>>>>> [] +1, release the artifacts
>>>>>>>>>>>>>> [] -1, don't release because...
>>>>>>>>>>>>>> The vote will remain open for 72 hours (or more if required).
>>>>> All
>>>>>>>>>> votes
>>>>>>>>>>>>>> are welcome and we encourage everyone to test the release, but
>>>>>> only
>>>>>>>>>>>> Logging
>>>>>>>>>>>>>> PMC votes are “officially” counted. As always, at least 3 +1
>>>>> votes
>>>>>>>>>> and
>>>>>>>>>>>> more
>>>>>>>>>>>>>> positive than negative votes are required.
>>>>>>>>>>>>>> Changes in this release include:
>>>>>>>>>>>>>> Fixed Bugs
>>>>>>>>>>>>>> * LOG4J2-3208: Disable JNDI by default. Require
>>>>> log4j2.enableJndi
>>>>>>>> to
>>>>>>>>>> be
>>>>>>>>>>>>>> set to true to allow JNDI.
>>>>>>>>>>>>>> Tag:
>>>>>>>>>>>>>> a) for a new copy do "git clone
>>>>>>>>>>>>>> https://github.com/apache/logging-log4j2.git <
>>>>>>>>>>>>>> https://github.com/apache/logging-log4j2.git>" and then "git
>>>>>>>>>> checkout
>>>>>>>>>>>>>> tags/log4j-2.15.1-rc1” or just "git clone -b log4j-2.15.1-rc1
>>>>>>>>>>>>>> https://github.com/apache/logging-log4j2.git <
>>>>>>>>>>>>>> https://github.com/apache/logging-log4j2.git>"
>>>>>>>>>>>>>> b) for an existing working copy to “git pull” and then “git
>>>>>>>> checkout
>>>>>>>>>>>>>> tags/log4j-2.15.1-rc1”
>>>>>>>>>>>>>> Web Site:
>>>>> https://logging.staged.apache.org/log4j/2.x/index.html
>>>>>>>> <
>>>>>>>>>>>>>> https://logging.staged.apache.org/log4j/2.x/index.html>.
>>>>>>>>>>>>>> Maven Artifacts:
>>> https://repository.apache.org/content/repositories/orgapachelogging-1067/
>>>>>>>>>>>>>> Distribution archives:
>>>>>>>>>>>>>> https://dist.apache.org/repos/dist/dev/logging/log4j/ <
>>>>>>>>>>>>>> https://dist.apache.org/repos/dist/dev/logging/log4j/>
>>>>>>>>>>>>>> You may download all the Maven artifacts by executing:
>>>>>>>>>>>>>> wget -e robots=off --cut-dirs=7 -nH -r -p -np
>>>>>>>> --no-check-certificate
>>> https://repository.apache.org/content/repositories/orgapachelogging-1067/org/apache/logging/log4j/
