[
https://issues.apache.org/jira/browse/FLINK-29716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17622313#comment-17622313
]
Chesnay Schepler commented on FLINK-29716:
------------------------------------------
The log4j jars are bundled separately to allow users to switch logging backends
or even go back to log4j1.
There's no such requirement for slf4j.
Should we upgrade to slf4j 2.x then that is just what Flink will require like
any other direct dependency.
Given that it is a compile dependency (unlike log4j) replacing it isn't as
trivially safe as log4j is; for example if we were to start using the new
fluent logging API then replacing it with slf4j v1 is just not an option.
> Separate slf4j jar in the lib folder from the distribution
> ----------------------------------------------------------
>
> Key: FLINK-29716
> URL: https://issues.apache.org/jira/browse/FLINK-29716
> Project: Flink
> Issue Type: Improvement
> Affects Versions: 1.15.2
> Reporter: Alexis Sarda-Espinosa
> Priority: Major
>
> Flink's binary distribution includes several jars under the {{lib}} folder,
> which has individual jars for all log4j artifacts. This makes it relatively
> easy to swap out those logging jars when necessary, for example when critical
> vulnerabilities are found (as was recently the case).
> With SLF4J 2.+, some breaking changes mean that many implementations are not
> directly backwards compatible, see for example the [notes for
> log4j2|https://logging.apache.org/log4j/2.x/log4j-slf4j-impl/index.html].
> This means that, in the future, if swapping logging jars were necessary, the
> SLF4J jar might have to be changed as well.
> Right now the SLF4J jar is not included separately in the distribution, I
> believe it's packed inside the {{flink-dist}} jar, although I'm not sure. It
> would be better to separate that as it is done for the default log4j2 jars.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
