>1. It is an exact copy of log4j-1.2-api with the binary, source, and javadoc jars renamed to log4j:log4j. >2. The pom.xml has a dependency on log4j-1.2-api and the jar file is empty.
The options are bad as log4j-1.2-api misses several classes that are used a lot in log4j 1.x deployments. For instance, org.apache.log4j.jdbc.JDBCAppender. If you release that as log4j:log4j:2.x, then you trigger a lot of non-workable update suggestions. ---- Then, if you think log4j-1.2-api:2.x is good enough to replace log4j:log4j:1.x, then you basically say "all the issues in 1.x can be solved without breaking backward compatibility". I am afraid that contradicts Ron's message: https://lists.apache.org/thread/dlz8nyrsvffmgq29d354s0l484lfc83w ---- Just in case, as shown in reload4j, all the known CVEs can be **easily** solved while still being fully backward compatible. So if you are willing to push something to log4j:log4j:... I would suggest reconsidering log4j 1.x rather than faking it with an incompatible jar from 2.x Vladimir
