[log4j] Where are SBOMs? (Was: [VOTE] Release Apache Log4j `2.24.1` (RC1))

Thu, 26 Sep 2024 02:37:20 -0700 

They are precisely in the binary ZIP:

$ unzip -l log4j/2.24.1/apache-log4j-2.24.1-bin.zip | grep cyclonedx
    29163  2024-09-24 13:33   log4j-1.2-api-2.24.1-cyclonedx.xml
    21118  2024-09-24 13:33   log4j-2.24.1-cyclonedx.xml
    25085  2024-09-24 13:33   log4j-api-2.24.1-cyclonedx.xml
   139136  2024-09-24 13:33   log4j-api-test-2.24.1-cyclonedx.xml
...


On Wed, Sep 25, 2024 at 8:48 PM Gary Gregory <garydgreg...@gmail.com> wrote:

> I expected to see SBOMs in the binary zip, CycloneDX and/or SPDX. Are
> they missing? Did I not find them?
>
> Gary
>
> On Tue, Sep 24, 2024 at 3:13 PM Piotr P. Karwasz
> <piotr.karw...@gmail.com> wrote:
> >
> > This is a vote to release the Apache Log4j `2.24.1`.
> >
> > Website: https://logging.staged.apache.org/log4j/2.24.1/index.html
> > GitHub: https://github.com/apache/logging-log4j2
> > Commit: 8ee9387d9ec2063ab11f27eaa43e44a13f4c9935
> > Distribution:
> https://dist.apache.org/repos/dist/dev/logging/log4j/2.24.1
> > Nexus:
> https://repository.apache.org/content/repositories/orgapachelogging-1303
> > Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0
> > Review kit:
> https://logging.apache.org/logging-parent/release-review-instructions.html
> >
> > Please download, test, and cast your votes on this mailing list.
> >
> > [ ] +1, release the artifacts
> > [ ] -1, don't release, because...
> >
> > This vote is open for 72 hours and will pass unless getting a
> > net negative vote count. All votes are welcome and we encourage
> > everyone to test the release, but only the Logging Services PMC
> > votes are officially counted. At least 3 +1 votes and more
> > positive than negative votes are required.
> >
> > == Release Notes
> >
> > This release contains mainly bug fixes of problems encountered with
> > the thread context map, logger registry and configuration reloading.
> >
> > It also enhances integration tests to use Docker images of the most
> > recent releases of MongoDB and Elastic Search.
> >
> > === Changed
> >
> > * Rework `LoggerRegistry` to make it `MessageFactory`-namespaced. This
> > effectively allows loggers of same name, but different message
> > factory. (#2936)
> > * Enable Docker-based tests in CI for JSON Template Layout (#2953)
> >
> > === Fixed
> >
> > * Switch MongoDB tests to use Docker. (#2229)
> > * Fix reloading of the configuration from an HTTP(S) source (#2937)
> > * Fix `putAll()` in the default thread context map implementation (#2942)
> >
> > === Updated
> >
> > * Update `org.apache.logging:logging-parent` to version `11.3.0`
>

Reply via email to