I might be able to look into doing a log4j2 patch if there was interest in that. But, I don't want to spend a lot of time doing that if the community has already decided on logback.
On Thu, Jan 20, 2022 at 4:27 AM Szalay-Bekő Máté <szalay.beko.m...@gmail.com> wrote: > I think we are slowly converging toward the following conclusion (at least > this is how I see it). > > - We want to make either Log4j2 or Logback as the default log engine. > - We would provide some blogpost / documentation / how-to about how to > change the default log engine. (even as simple as described here in this > comment: > https://github.com/apache/zookeeper/pull/1793#pullrequestreview-857545860 > , > extended with some audit logging example) > - Currently we have a good patch for Logback thanks to Andor and to all the > reviewers. > > As I would rather have something out sooner than later, for me the main > questions are: > (1) is logback good enough, or do we need log4j2? > (2) if we need log4j2, then is there anyone who could prepare a patch for > it soon? > > What do you think? > > Máté > > On Thu, Jan 20, 2022 at 9:15 AM Andor Molnar <an...@apache.org> wrote: > > > Thanks for the quick review Chris. > > > > I agree with the second part of your e-mail completely. I’m not sure > > either that the community has given a thumbs-up for logback, but I wanted > > to finalize my patch sooner, because I have other duties to take care of. > > > > I feel like logback is generally acceptable for ZK, but log4j2 would be > > more convenient, because most projects will eventually swap for it. > > > > Andor > > > > > > > > > On 2022. Jan 20., at 2:42, Chris Nauroth <cnaur...@apache.org> wrote: > > > > > > Thank you, Andor. I entered one more round of very minor feedback. > > > > > > I'm not sure about the licensing changes. I responded on the PR with my > > > thoughts, but I'd appreciate a second set of eyes on the licensing in > > > particular. > > > > > > After resolving that feedback, I'll be ready to +1 from a code > > perspective, > > > but it sounds like the discussion of direction is not necessarily > settled > > > here. Can others who have raised red flags please clarify the degree of > > > their objections? Is anyone actually -1 on a move to Logback? For my > > part, > > > even though I raised objections, I'm OK proceeding with Logback. I'll > > > likely swap it for the Log4J 2 SLF4J back-end in my deployments. (I > > > specifically tested this on your branch and confirmed it works.) > > > > > > Chris Nauroth > > > > > > > > > On Wed, Jan 19, 2022 at 1:46 PM Andor Molnar <an...@apache.org> wrote: > > > > > >> I’m done with all the changes that I wanted to include in the first > > >> logback patch. > > >> Most of Chris’ feedback has also been addressed as well as the > licensing > > >> changes. > > >> We have binary distribution which includes the logback jar, so I added > > EPL > > >> v1.0 > > >> to LINCENSE.txt and mentioned Logback in the NOTICE.txt file. Hope all > > >> done correctly. > > >> > > >> Documentation has also been updated according to the new logging > > backend. > > >> > > >> Migration of zookeeper-recipes and zookeeper-contrib projects will > come > > in > > >> the upcoming patch. > > >> > > >> Andor > > >> > > >> > > >> > > >>> On 2022. Jan 19., at 1:45, Ted Dunning <ted.dunn...@gmail.com> > wrote: > > >>> > > >>> I believe that the primary contributor to logback was highly > skeptical > > >> that > > >>> the recent problems could possible affect logback. That isn't a good > > >>> attitude for security problems. > > >>> > > >>> It isn't just a matter of patch rate. There is also the question of > > >>> community size. Is logback effectively a one-man show? > > >>> > > >>> > > >>> > > >>> On Tue, Jan 18, 2022 at 3:25 PM Christopher <ctubb...@apache.org> > > wrote: > > >>> > > >>>> While it has had recent activity, it is notable that logback only > > >> recently > > >>>> became active again for patches to the stable 1.2 releases. After > > >> several > > >>>> releases in early 2017, it did not have a stable release for over > four > > >>>> years between 31-Mar-2017 (v1.2.3) and 19-Jul-2021 (v1.2.4). > > >>>> > > >>>> On Tue, Jan 18, 2022 at 6:20 PM Christopher <ctubb...@apache.org> > > >> wrote: > > >>>> > > >>>>> Yes. It looks like logback is still actively being developed. 1.2 > > had a > > >>>>> release in December. The 1.3 line is still alpha and has also seen > > >> recent > > >>>>> releases (interestingly, it requires at least Java 9 to build, but > > will > > >>>> run > > >>>>> on Java 8, which is similar to what I had recommended for ZK in a > > >>>> different > > >>>>> thread). 1.2 only requires Java 1.6 or later. Since it's still > > >> receiving > > >>>>> patches, and it's not alpha, that's probably the best version to > use. > > >>>>> Currently, it seems to be at 1.2.9. > > >>>>> > > >>>>> On Tue, Jan 18, 2022 at 2:25 PM Andor Molnar <an...@apache.org> > > wrote: > > >>>>> > > >>>>>> I agree with you completely and this is crucial for logback too, > so > > >>>>>> correct me if I'm wrong. Logback is current and actively > maintained. > > >> Is > > >>>>>> that correct? > > >>>>>> > > >>>>>> Andor > > >>>>>> > > >>>>>> > > >>>>>> On Tue, 2022-01-18 at 12:43 -0500, Christopher wrote: > > >>>>>>> I do think these are more good reasons to adopt > > >>>>>>> something that is current and actively maintained, though, rather > > >>>>>>> than > > >>>>>>> something that is old and not active. > > >>>>>> > > >>>>>> > > >>>>>> > > >>>> > > >> > > >> > > > > >