I think it would be great to hear what the expected changes are to be made here. It still seems like a huge amount of work that nobody cared about until we published a CVE for v2 which was only applicable to v2 (something I tend not to see in smaller projects who rarely if ever bother filing CVEs when they fix security issues). If the desire is to patch those CVEs, there are already at least two public forks that did that already (along with butchering backward compatibility). If the desire is to fix concurrency issues, those are already fixed in Log4j2 and Logback. Without some justification, making a new release of Log4j1 just seems like a complete lack of trust in the PMC by forking from 10 years ago.
On Thu, Jan 6, 2022 at 1:05 PM Christian Grobmeier <[email protected]> wrote: > > Hi > > On Thu, Jan 6, 2022, at 15:05, Ceki Gülcü wrote: > > On 06/01/2022 14:42, Christian Grobmeier wrote: > >> Which ones? The JMSAppender issue or the SockerServer issue? Both have > >> been there >2012. What is suddenly so critical it requires re-releasing > >> EOL software? Or did you mean the multithreading issues? > > > > Certain things have changed during the month of December 2021. The > > answer to your question regarding urgency of the JMS and > > SocketAppender** follows from there. > > What changed in December 2021 for log4j1? > > >> If you like, you can mentor the two potential contributors, review and > >> apply the patches. You could also craft the 1.2.18 release and put it up > >> for a vote. > > > > I don't understand. The PMC just voted to disallow 1.2.18 release for > > other ASF committers. Have you not? > > I have voted for not working on 1.2.18 for the mentioned reasons; I see Ralph > answered this already, I have nothing to add. I also see you already wrote a > first message, so I think this is clarified. > > Cheers, > Christian > > > > > > -- > > Ceki Gülcü
