Thank you, Andor. I entered one more round of very minor feedback.

I'm not sure about the licensing changes. I responded on the PR with my
thoughts, but I'd appreciate a second set of eyes on the licensing in
particular.

After resolving that feedback, I'll be ready to +1 from a code perspective,
but it sounds like the discussion of direction is not necessarily settled
here. Can others who have raised red flags please clarify the degree of
their objections? Is anyone actually -1 on a move to Logback? For my part,
even though I raised objections, I'm OK proceeding with Logback.  I'll
likely swap it for the Log4J 2 SLF4J back-end in my deployments. (I
specifically tested this on your branch and confirmed it works.)

Chris Nauroth


On Wed, Jan 19, 2022 at 1:46 PM Andor Molnar <an...@apache.org> wrote:

> I’m done with all the changes that I wanted to include in the first
> logback patch.
> Most of Chris’ feedback has also been addressed as well as the licensing
> changes.
> We have binary distribution which includes the logback jar, so I added EPL
> v1.0
> to LINCENSE.txt and mentioned Logback in the NOTICE.txt file. Hope all
> done correctly.
>
> Documentation has also been updated according to the new logging backend.
>
> Migration of zookeeper-recipes and zookeeper-contrib projects will come in
> the upcoming patch.
>
> Andor
>
>
>
> > On 2022. Jan 19., at 1:45, Ted Dunning <ted.dunn...@gmail.com> wrote:
> >
> > I believe that the primary contributor to logback was highly skeptical
> that
> > the recent problems could possible affect logback. That isn't a good
> > attitude for security problems.
> >
> > It isn't just a matter of patch rate. There is also the question of
> > community size. Is logback effectively a one-man show?
> >
> >
> >
> > On Tue, Jan 18, 2022 at 3:25 PM Christopher <ctubb...@apache.org> wrote:
> >
> >> While it has had recent activity, it is notable that logback only
> recently
> >> became active again for patches to the stable 1.2 releases. After
> several
> >> releases in early 2017, it did not have a stable release for over four
> >> years between 31-Mar-2017 (v1.2.3) and  19-Jul-2021 (v1.2.4).
> >>
> >> On Tue, Jan 18, 2022 at 6:20 PM Christopher <ctubb...@apache.org>
> wrote:
> >>
> >>> Yes. It looks like logback is still actively being developed. 1.2 had a
> >>> release in December. The 1.3 line is still alpha and has also seen
> recent
> >>> releases (interestingly, it requires at least Java 9 to build, but will
> >> run
> >>> on Java 8, which is similar to what I had recommended for ZK in a
> >> different
> >>> thread). 1.2 only requires Java 1.6 or later. Since it's still
> receiving
> >>> patches, and it's not alpha, that's probably the best version to use.
> >>> Currently, it seems to be at 1.2.9.
> >>>
> >>> On Tue, Jan 18, 2022 at 2:25 PM Andor Molnar <an...@apache.org> wrote:
> >>>
> >>>> I agree with you completely and this is crucial for logback too, so
> >>>> correct me if I'm wrong. Logback is current and actively maintained.
> Is
> >>>> that correct?
> >>>>
> >>>> Andor
> >>>>
> >>>>
> >>>> On Tue, 2022-01-18 at 12:43 -0500, Christopher wrote:
> >>>>> I do think these are more good reasons to adopt
> >>>>> something that is current and actively maintained, though, rather
> >>>>> than
> >>>>> something that is old and not active.
> >>>>
> >>>>
> >>>>
> >>
>
>

Reply via email to