[
https://issues.apache.org/jira/browse/LOGCXX-539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457636#comment-17457636
]
Robert Middleton commented on LOGCXX-539:
-----------------------------------------
PR merged.
Note that the current plan is to remove the need for this for the next major
version by removing the capability for serialization of java objects, since
that is known to be insecure.
> Allow distribustion log4j to be used for socketservertest
> ---------------------------------------------------------
>
> Key: LOGCXX-539
> URL: https://issues.apache.org/jira/browse/LOGCXX-539
> Project: Log4cxx
> Issue Type: Improvement
> Components: Tests
> Reporter: Tobias Frost
> Priority: Minor
> Fix For: 0.13.0
>
> Attachments: 0003-Use-packaged-liblog4j-1.2.patch
>
>
> (This is a patch I need for the Debian packaging)
> In the CMakeLists.txt for the socket server tries to download log4j-1.2 from
> apache.
> Debian does not allow that resources be downloaded during build and has a
> policy that (if possible) packaged resources are to be used. In Debian log4j
> version 1.2 is packaged in the packge liblog4j1.2-java, so I need to use this
> one.
> The patch (will also be provided as PR) changes the logic that it will only
> download log4j if find_jar could not find it using default search paths.
> Additionally, I changed the md5 to a sha256 checksum, as md5s are insecure.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
