On Tue, Dec 14, 2021 at 9:54 AM Remko Popma <remko.po...@gmail.com> wrote:
> On Tue, Dec 14, 2021 at 11:44 PM Vladimir Sitnikov < > sitnikov.vladi...@gmail.com> wrote: > > > >My understanding is it requires an extremely > > >old JDK. > > >Have you actually tried building the project to see if this is true? > > > > I was able to build the project with Maven3 and Java 1.8 by commenting > out > > tools.jar, "site-related", "antrun-related" stuff in pom.xml. > > It did produce logj4.jar that worked with Weblogic APP. > > > > ---- > > > > There's an alternative option: > > * cut the files from the source > > * take log4j-1.2.17.jar > > * remove the offending classes > > * re-save the file as log4j-1.2.18.jar > > * manually upload it to oss.sonatype.org via UI :) > I am sorry but this is not acceptable. Strictly speaking, Apache releases source code, all binaries are just a convenience for our users, and, must be built from source. Gary > > > > It might be easier than trying to find the proper tools for the > > compilation. > > > > About the alternative solution: > How would we then be able to ever release a log4j-1.2.19 jar if we find > another security vulnerability? I don't like this idea. > > If we do a new Log4j 1.x release, we should do it from source. > I believe that 1.2.17 targets Java 1.4(!), but it may be the case that the > oldest JDK available from Oracle is Java 5. > We can consider setting the compiler option to create Java 1.4 byte code, > since we are only removing classes. (Vladimir, is this correct?) > > Also, I think we can consider not supporting any appenders that require > native code. > I believe that last one was one of the major stumbling blocks, I could be > wrong. > > > > > > Vladimir > > >
