[
https://issues.apache.org/jira/browse/LOG4J2-3511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Matt Sicker resolved LOG4J2-3511.
---------------------------------
Assignee: Volkan Yazici
Resolution: Fixed
Volkan finished this a while back.
> Make Log4j use its own BOM
> --------------------------
>
> Key: LOG4J2-3511
> URL: https://issues.apache.org/jira/browse/LOG4J2-3511
> Project: Log4j 2
> Issue Type: Improvement
> Reporter: Volkan Yazici
> Assignee: Volkan Yazici
> Priority: Major
> Fix For: 3.0.0
>
>
> Even though we provide a BOM module (`log4j-bom`), we don't consume it
> ourselves. Hence occasionally we end up publishing artifacts not included in
> the BOM. Consuming our own BOM decreases the chances of missing out artifacts
> in BOM, though doesn't totally eliminate the chances of that happening.
> When I read [how Maven advises to structure the BOM
> module|https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#bill-of-materials-bom-poms],
> I understand what needs to be in the case of Log4j is the following:
> /pom.xml (`log4j-bom` module)
> /log4j-parent/pom.xml (`log4j` module importing `log4j-bom`)
> /log4j-parent/log4j-core/pom.xml (`log4j-core` module parented by `log4j`)
> Though what we have in reality is the following:
> /log4j-bom/pom.xml (`log4j-bom` module)
> /pom.xml (`log4j` module parented by `logging-parent`)
> /log4j-core/pom.xml (`log4j-core` module parented by `log4j`)
> Ideally we should follow the Maven-advised approach and consume from our BOM
> parented by `logging-parent`.
> See [the related mailing list
> discussion|https://lists.apache.org/thread/fcdq8gqdc7ccstbjj65hhx22xcwqm6nk].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
