Thanks for the quick review Chris. I agree with the second part of your e-mail completely. I’m not sure either that the community has given a thumbs-up for logback, but I wanted to finalize my patch sooner, because I have other duties to take care of.
I feel like logback is generally acceptable for ZK, but log4j2 would be more convenient, because most projects will eventually swap for it. Andor > On 2022. Jan 20., at 2:42, Chris Nauroth <cnaur...@apache.org> wrote: > > Thank you, Andor. I entered one more round of very minor feedback. > > I'm not sure about the licensing changes. I responded on the PR with my > thoughts, but I'd appreciate a second set of eyes on the licensing in > particular. > > After resolving that feedback, I'll be ready to +1 from a code perspective, > but it sounds like the discussion of direction is not necessarily settled > here. Can others who have raised red flags please clarify the degree of > their objections? Is anyone actually -1 on a move to Logback? For my part, > even though I raised objections, I'm OK proceeding with Logback. I'll > likely swap it for the Log4J 2 SLF4J back-end in my deployments. (I > specifically tested this on your branch and confirmed it works.) > > Chris Nauroth > > > On Wed, Jan 19, 2022 at 1:46 PM Andor Molnar <an...@apache.org> wrote: > >> I’m done with all the changes that I wanted to include in the first >> logback patch. >> Most of Chris’ feedback has also been addressed as well as the licensing >> changes. >> We have binary distribution which includes the logback jar, so I added EPL >> v1.0 >> to LINCENSE.txt and mentioned Logback in the NOTICE.txt file. Hope all >> done correctly. >> >> Documentation has also been updated according to the new logging backend. >> >> Migration of zookeeper-recipes and zookeeper-contrib projects will come in >> the upcoming patch. >> >> Andor >> >> >> >>> On 2022. Jan 19., at 1:45, Ted Dunning <ted.dunn...@gmail.com> wrote: >>> >>> I believe that the primary contributor to logback was highly skeptical >> that >>> the recent problems could possible affect logback. That isn't a good >>> attitude for security problems. >>> >>> It isn't just a matter of patch rate. There is also the question of >>> community size. Is logback effectively a one-man show? >>> >>> >>> >>> On Tue, Jan 18, 2022 at 3:25 PM Christopher <ctubb...@apache.org> wrote: >>> >>>> While it has had recent activity, it is notable that logback only >> recently >>>> became active again for patches to the stable 1.2 releases. After >> several >>>> releases in early 2017, it did not have a stable release for over four >>>> years between 31-Mar-2017 (v1.2.3) and 19-Jul-2021 (v1.2.4). >>>> >>>> On Tue, Jan 18, 2022 at 6:20 PM Christopher <ctubb...@apache.org> >> wrote: >>>> >>>>> Yes. It looks like logback is still actively being developed. 1.2 had a >>>>> release in December. The 1.3 line is still alpha and has also seen >> recent >>>>> releases (interestingly, it requires at least Java 9 to build, but will >>>> run >>>>> on Java 8, which is similar to what I had recommended for ZK in a >>>> different >>>>> thread). 1.2 only requires Java 1.6 or later. Since it's still >> receiving >>>>> patches, and it's not alpha, that's probably the best version to use. >>>>> Currently, it seems to be at 1.2.9. >>>>> >>>>> On Tue, Jan 18, 2022 at 2:25 PM Andor Molnar <an...@apache.org> wrote: >>>>> >>>>>> I agree with you completely and this is crucial for logback too, so >>>>>> correct me if I'm wrong. Logback is current and actively maintained. >> Is >>>>>> that correct? >>>>>> >>>>>> Andor >>>>>> >>>>>> >>>>>> On Tue, 2022-01-18 at 12:43 -0500, Christopher wrote: >>>>>>> I do think these are more good reasons to adopt >>>>>>> something that is current and actively maintained, though, rather >>>>>>> than >>>>>>> something that is old and not active. >>>>>> >>>>>> >>>>>> >>>> >> >>