Vladimir, I appreciate your energy and your enthusiasm, I do, but you're going to have to pick your battles IMO.
I would say we (not but really wearing my PMC hat) have passively agreed that we can move toward fixing CVEs and potential CVEs in what would be a 1.2.18. For us to get there and while we are still navigating this storm, means that we all have to make compromises and make a smooth path for the team, infra, users. This new repo is part of this smoother path. So, please don't get caught up in the mechanics, I encourage you to look toward the finish line. Allow me to relate what I am seeing in the enterprise and with organizations that provide professional services that might make this whole thing moot. As much as I explain the differences between Log4j 1 and 2 and the different issues that have occurred in both, the path is clear: People finally understand what end-of-life is and are moving toward Log4j 2. Let's skip the discussion of the Yossarian-like pickle for people who had already migrated and stepped into the RCE CVE. As I am advising these various people, some realize the 1.2 bridge will work fine, others have started rewriting their configuration in Log4j 2 XML on their own. All of this to say that, even though 1.2 might be safer within certain bounds, and made safer in the future, stacks are just moving to 2.x. HTH, Gary On Thu, Dec 23, 2021 at 7:25 AM Vladimir Sitnikov < sitnikov.vladi...@gmail.com> wrote: > >All logging services Git repos start with logging-. > > I'm 100% sure INFRA can rename `apache/log4j` into `apache/logging-log4j1`, > and it would be transparent for GitHub users. > GitHub would automatically redirect from apache/log4j to > apache/logging-log4j1 > > >Of course you are free to screw around > > Just in case you miss: > * What I really want to do here is to heal log4j 1.x for **everybody**. > That is why I want to get the canonical repository and the canonical Maven > coordinates. > * Of course, for my private applications, I have created and fixed log4j > 1.x **long ago**. > I just realized, this "private forks" effort is duplicated all over the > world, > and I realized the right thing to do is to fix the official log4j 1.x no > matter what "Logging PMC thinks of 1.x being EOL" > > Vladimir >
