Thank you Enrico! I like the reload4j idea for all our older, but still active releases. This is as backward compatible as we can get with solving the security issues. I think it would be good to do this also on branch-3.5, as this is an important security fix and I don't think we ever communicated EOL for 3.5 yet. Actually I'm happy to coordinate a new release on 3.5 after 3.8.0 is finished.
We should also clearly communicate on the webpage the default logging framework versions we ship with our different releases. I'm not sure, maybe the PMC members discussed this already, but it would be also important to come up with some EOL strategy to keep our active branches low and put it to our webpage. Best regards, Mate On Sun, Jan 30, 2022 at 9:11 AM Enrico Olivelli <eolive...@gmail.com> wrote: > Hello folks, > We are close to cutting some releases, at least I would like to do so, > but we should remove log41 from our binary tarballs. > > For the next upcoming major release, 3.8.0, we decided to switch to > Logback, good. > But the older branches, 3.5, 3.6, 3.7 we should remove log41 > > There is an initiative, https://reload4j.qos.ch/, that basically is a > fork of log4j1 with the security fixes, so it is 100% compatible. > > I sent a PR for the branch-3.7, I will do the same at least for 3.6, I > can do the same for 3.5 if anyone would like to cut a release some day > (I am not sure) > > https://github.com/apache/zookeeper/pull/1802 > > If there are any objections please anyone review my patch and we can > merge it in a few days, just to give time to the community to see this > message and express their thoughts. > > Best regards > Enrico >
