Why are we changing to follow a spec we have never used before? I have concerns about “security” as a type. Unless we are going to support multiple types this doesn’t make a lot of sense to me as generally these fixes will be bugs. And rather than have a type of “security” I would prefer that instead a new attribute named “cve” be added where we can add the CVE number when there is one.
I guess you have already converted 2000 changeling entries so I guess I am not going to push to have them be changed to match changes.xml (and I should have noticed that earlier). But I would like a follow-on release to enhance it wrt the security type. Ralph > On Jan 10, 2023, at 5:06 AM, Volkan Yazıcı <vol...@yazi.ci> wrote: > > The rationale was explained in the `log4j-changelog` README: > https://github.com/apache/logging-log4j-tools/blob/master/log4j-changelog/README.adoc > In a nutshell, we stick to the https://keepachangelog.com/en/1.0.0/ > specification. > > I share the same grammatical concern, yet, it might be better to stick > to some form of standard. > > On Tue, Jan 10, 2023 at 12:51 PM Gary Gregory <garydgreg...@gmail.com> wrote: >> >> Curious: >> >> In the "classic" changelog, we use "add", "fix", and so on, simple enough. >> Here, we use the past tense "added", and so on, except that we don't use >> "secured", we use "security", an odd inconsistency I guess. Any reason for >> that? >> >> FWIW, I like the simpler shorter words "add" and so on. >> >> Gary >> >> On Tue, Jan 10, 2023, 05:55 Volkan Yazıcı <vol...@yazi.ci> wrote: >> >>> The Apache Log4j Tools 0.1.0 release is now available for voting. >>> >>> The 0.1.0 version is the very first release of this relatively old >>> repository, which is repurposed for `log4j-changelog`, Log4j's >>> `maven-changes-plugin` successor. This enables us to build the Log4j >>> website (incl. manual) in less than 30 seconds and use multiple issue >>> trackers, e.g., JIRA and GitHub Issues. All these Log4j improvements >>> are already submitted as PRs against the `release-2.x` branch and >>> waiting for this `log4j-tools` release. >>> >>> `log4j-changelog` README: >>> >>> https://github.com/apache/logging-log4j-tools/blob/master/log4j-changelog/README.adoc >>> >>> This release also constitutes another milestone in the history of ASF: >>> *the very first release signed and deployed via CI.* >>> >>> Source repository: https://github.com/apache/logging-log4j-tools >>> Branch: release/0.1.0 >>> Commit: e82a44142280d013bd76ea18951fde00dcee192b >>> CI run: >>> https://github.com/apache/logging-log4j-tools/actions/runs/3882476949 >>> Artifacts: https://dist.apache.org/repos/dist/dev/logging/log4j/ >>> Nexus repository: >>> https://repository.apache.org/content/repositories/orgapachelogging-1096 >>> Signing key: >>> https://keyserver.ubuntu.com/pks/lookup?search=077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0&fingerprint=on&op=index >>> >>> Please download, test, and cast your votes on the Log4j developers list. >>> >>> [ ] +1, release the artifacts >>> [ ] -1, don't release, because... >>> >>> The vote will remain open for 24 hours (or more if required). All >>> votes are welcome and we encourage everyone to test the release, but >>> only the Logging Services PMC votes are officially counted. At least 3 >>> +1 votes and more positive than negative votes are required. >>>
