Dear Vladimir, > When it comes to code-related changes, the reviews are vague, and it is > really hard (impossible?) to find consensus. I somehow got an idea that ripping out classes that could lead to a NoClassDefFoundError for existing users did not fit the definition of "binary compability" for the log4j2 committers. As much as I would love to rip the classes in question out, I must admit that doing so is not binary compatible.
And if I recall correctly, the request on https://github.com/apache/log4j/pull/17 was to separate build changes from the code fixes and start with a PR to fix one CVE only (and have that fix to be something else than removing a class) so that can be reviewed in reasonable time. And if I read between the lines well, the committers wanted to see viable PRs before doing infra work that you are (correctly) suggesting. But apologies for butting in if I got something wrong. Best regards, Andrew
