Hello, We have been talking about log4j-audit (same thread as with log4j-server).
I have checked today after seeing Piotr's message, and even after reading the readme, I am still trying to figure out the purpose of this product. That aside, I am concerned the last change was four years ago. -audit is depending to Log4j 2.10, which is affected by log4shell. I checked on the releases, and I see only RCs here: https://github.com/apache/logging-log4j-audit/tags But two releases here: https://logging.apache.org/log4j-audit/latest/download.html What message are we sending? As I understand it we are currently promoting software that contains log4shell without any word of warning or any development plan on the horizon. Do we have any development cycles left to fix at least the security issues, with the Flume project probably merging into this project? I am not asking for the "will power", but the "real power": if it is not realistic to maintain this project, we should add warning labels, consider EOL, and/or actively search for contributors. I am willing to support a bit, but only if I understand the use of -audit :) Kind regards, Christian
