riven8192 commented on pull request #649:
URL: https://github.com/apache/logging-log4j2/pull/649#issuecomment-999883312
Thanks for the information regarding the branches @garydgregory.
I will not (yet) make PRs for those branches, as it seems it'd be preferable
to agree on the underlying principles.
I quite regularly see jars with repackaged dependencies, simply because it
reduces the problems you can face when multiple projects/dependencies require
different versions of dependencies on the classpath. I actually encountered
repackaged dependencies in several Google client-APIs. It would be rather
unfortunate if people would effectively lose the security of the latest
patches, because they turn out to have repackaged classes on the classpath.
I agree with you that in principle log4j should not support
artifact-mangling, but given the potential security implications I think it's
strongly recommended to replace:
`clazz.getName().equals("org.apache.logging.log4j.core.lookup.JndiLookup")`
with:
`clazz.getName().contains(".log4j.") &&
clazz.getName().endsWith(".JndiLookup")`
like proposed in the PR.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
