Hey folks, First, thanks for all the hard work on 2.x, especially these last couple of weeks! Please take care of yourself and be kind to yourself :) Obviously 2.x should get full focus from all that can productively contribute to it.
I do agree with Vladimir about giving 1.x a little attention. With the whole world doing forensics it is clear how widespread 1.x still is. Seems worth it to make a slightly safer lib, for all those people that cannot easily upgrade to 2.x, so they can just drop in a new jar. I investigated the current build a bit. Notes below mail. It -does- seem feasible for a logging.a.o committer with SVN write access + people.apache.org access to make a new 1.x release 'the ancient way' with limited effort. I.e. https://logging.apache.org/log4j/1.2/building.html is mostly workable today. But...then you are stuck with very old-style library maintenance. Best clean house a bit more (right?). If cleanup is the way to go, seems some next steps include * convert with svn2git * I kicked off a run, takes a few hours * bump the build toolchain up to modern standards/versions * set up OpenJDK 6 as a mvn toolchain for compiling, for max compatibility (toolchain pom.xml patch below). * use any version of Maven 3 on an LTS version of Ubuntu with any JDK (7+), clean up the build setup, delete some ancient cruft. * don't bother releasing new binary versions of the windows DLLs, people who need them can use the old DLLs or build from source. * make some patches to delete vulnerable/network code * perhaps add some warnings for now-unsupported (JMS) config * add tests proving the new behavior * write some docs on how to use the new version and link to 2.x upgrade instructions * draft some release notes * fix generated site * include the end-of-life disclaimer that's in the HTML (into template?) * update with additional instructions * make the site setup work with apache cms * make it real easy to review the result, bake & propose an RC * hand off to committers/PMC for release Make sense? Any suggestions or objections? Nothing too hard, just grunt work :) Cheers, Leo Main findings ------------- * Main build is "fine" * Log4J 1.x seems to build fine with modern JDK and modern Maven 3, with source/target=1.4 set * Log4J 1.x seems to build fine on ubuntu 14.0.4.6, with JDK 1.7 for maven plus JDK 1.6 toolchain for compile, and an ancient Maven 3 * probably best to pick this option 'for safety' * see detailed howto below * Compiles fine, tests pass * Maven release plugin seems setup correctly and working * needs committer with SVN write access to do `maven release:prepare; maven release:perform` * JNI/native build is not worrisome * I did not attempt to re-build the NT DLLs, but this is not needed to ship a new source dist or new jar, any users can pick old .dll with new jar * jnd_md.h referred in build is easy to get: version from Oracle JDK 6 is identical to OpenJDK 11 version aside from license header * Site * Maven site generates ok, but * publishing instructions are wrong * misses the end of life header * Probably HTML site was edited by hand to add this header? * Would suggest to simply edit HTML by hand some more Detailed steps to produce a build --------------------------------- * download and install virtualbox * download and install ubuntu 14.04.6 LTS 64 bit VM * https://www.osboxes.org/ubuntu/ * this is the oldest supported LTS ubuntu * ubuntu 12.04 LTS is closer but is unsupported * this has openjdk 6 * password osboxes.org * apt-get dist-upgrade && reboot * install virtualbox guest additions and reboot * https://www.osboxes.org/guide/ * to get jni_md.h: * this does not seem to be strictly needed to make a release, the native build gets skipped on linux * best option: get it from https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/windows/native/include/jni_md.h * this is GPLv2 + classpath exception, classpath exception makes it fine to use here * cumbersome: download and install IE11 on Windows 7 64 bit VM * https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ * password Passw0rd! * run windows update and reboot * install virtualbox guest additions and reboot * https://www.osboxes.org/guide/ * download and install sun/oracle JDK 6u41 (matching ubuntu) * https://www.oracle.com/java/technologies/javase-java-archive-javase6-downloads.html * open \Program Files\Java\jdk_1.6.....\include\win32 * copy jni_md.h and paste to homedir on ubuntu * alternative: get it from https://github.com/lsimons/jni_md.h * got this file using the steps above * don't use by downloading from here, that might be a bit illegal in your jurisdiction * proves it is the same file as in JDK11 as per above * follow rest of build instructions * apt-get install openjdk-6-jdk * apt-get install maven2 subversion mingw32 xemacs21 openssh-server * sudo cp /mnt/Downloads/jni_md.h ~osboxes/ * sudo chown osboxes:osboxes ~osboxes/jni_md.h * export JNI_WIN32_INCLUDE_DIR=/home/osboxes * export SVN_EDITOR=xemacs21 * mkdir ~/.m2 * cat >~/.m2/settings.xml <<END <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd";> <!--<mirrors> <mirror> <id>central-https</id> <name>Central over HTTPS</name> <url>https://repo1.maven.org/maven2</url> <mirrorOf>central</mirrorOf> </mirror> </mirrors>--> <profiles> <profile> <id>https</id> <activation> <activeByDefault>true</activeByDefault> </activation> <repositories> <repository> <id>central</id> <name>Central Repository</name> <url>https://repo1.maven.org/maven2</url> <layout>default</layout> <snapshots> <enabled>false</enabled> </snapshots> </repository> </repositories> <pluginRepositories> <pluginRepository> <id>central</id> <name>Central Repository</name> <url>https://repo1.maven.org/maven2</url> <layout>default</layout> <snapshots> <enabled>false</enabled> </snapshots> <releases> <updatePolicy>never</updatePolicy> </releases> </pluginRepository> </pluginRepositories> </profile> </profiles> </settings> END * svn co http://svn.apache.org/repos/asf/logging/log4j/trunk log4j * cd log4j * mvn package release:prepare fails with: [WARNING] Unable to get resource 'org.apache.felix:maven-bundle-plugin:pom:2.1.0' from repository central ( https://repo.maven.apache.org/maven2): Error transferring file: Received fatal alert: protocol_version Downloading: https://repo.maven.apache.org/maven2/org/apache/felix/maven-bundle-plugin/2.1.0/maven-bundle-plugin-2.1.0.pom so...maven 3 it is. That needs JDK 7. * sudo apt-get install openjdk-7-jdk * sudo apt-get install maven # 3.0.5... * sudo update-alternatives --config mvn * vi ~/log4j/pom.xml * patch pom.xml <<END Index: pom.xml =================================================================== --- pom.xml (revision 1895980) +++ pom.xml (working copy) @@ -89,6 +88,26 @@ <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-toolchains-plugin</artifactId> + <version>1.1</version> + <executions> + <execution> + <goals> + <goal>toolchain</goal> + </goals> + </execution> + </executions> + <configuration> + <toolchains> + <jdk> + <version>1.6</version> + <vendor>openjdk</vendor> + </jdk> + </toolchains> + </configuration> + </plugin> + <plugin> + <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-resources-plugin</artifactId> <configuration> <encoding>UTF-8</encoding> END * cat >~/.m2/toolchains.xml <<END <?xml version="1.0" encoding="UTF-8"?> <toolchains> <!-- JDK toolchains --> <toolchain> <type>jdk</type> <provides> <version>1.6</version> <vendor>openjdk</vendor> </provides> <configuration> <jdkHome>/usr/lib/jvm/java-1.6.0-openjdk-amd64</jdkHome> </configuration> </toolchain> </toolchains> END * mv ~/.m2/settings.xml ~/.m2/settings.xml.bak # that was for maven 2 * mvn package release:prepare with settings: [INFO] Checking dependencies and plugins for snapshots ... What is the release version for "Apache Log4j"? (log4j:log4j) 1.2.18: : 1.2.18-RC1 What is SCM release tag or label for "Apache Log4j"? (log4j:log4j) log4j-1.2.18-RC1: : v1.2.18-RC1 What is the new development version for "Apache Log4j"? (log4j:log4j) 1.2.18-RC2-SNAPSHOT: : 1.2.18-RC2-SNAPSHOT [INFO] Transforming 'Apache Log4j'... fails at the very end due to permissions (good): [INFO] Executing: /bin/sh -c cd /home/osboxes/log4j && svn --non-interactive commit --file /tmp/maven-scm-895115457.commit --targets /tmp/maven-scm-5194221240786270512-targets [ERROR] svn: E175013: Commit failed (details follow): [ERROR] svn: E175013: POST of '/repos/asf/!svn/me': 403 Forbidden ( http://svn.apache.org) * mvn site assembly:assembly also works, but shows an old site!
