ctubbsii commented on PR #2290: URL: https://github.com/apache/zookeeper/pull/2290#issuecomment-3145955665
My concern was based on the potential incompatibility and potential breakage for existing users using the older series of logging dependencies. I think users can mitigate this by making their own decisions in their deployments about which logging dependencies to use at runtime. Ultimately, users are responsible for their own class paths. Any particular application can only make a best effort approach at a particular point in time when releasing, but those decisions can quickly become out of date after release, so it's users who decide what's on a deployed system. As such, I don't think these warnings are very useful to users, and upstream devs in ZK should only take them as advisories. I would just ignore the OWASP checks during the build, and not make it a release blocker, since upstream logback and slf4j don't have updates for these versions. Then, just advise users to consider newer logging dependencies, or a newer version of ZK. In short, 1) check if there's a compatible update to these versions upstream, 2) if not, suppress the build error and include a note in the release notes to advise users. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
