[ANNOUNCE] Apache Log4j Kotlin API 1.4.0 released
The Apache Log4j Kotlin API team is pleased to announce the 1.4.0 release. This project contains a Kotlin-friendly interface to log against the Log4j API. For further information (support, download, etc.) see the project website[1]. [1] https://logging.apache.org/log4j/kotlin/ === Release Notes This minor release fixes incorrect coroutine context map and stack. Added * Started generating CycloneDX SBOM with the recent update of `logging-parent` to version `10.2.0` Changed * Coroutine context is not cleared properly, only appended to (#54) * Update `org.apache.logging:logging-parent` to version `10.2.0` * Update `org.apache.logging.log4j:log4j-bom` to version `2.22.0` (#52) * Update `org.apache.logging:logging-parent` to version `10.4.0` (#53) * Update `org.codehaus.mojo:build-helper-maven-plugin` to version `3.5.0` (#51) * Update `org.codehaus.mojo:exec-maven-plugin` to version `3.1.1` (#50) * Update `org.junit:junit-bom` to version `5.10.1` (#49) Apache Log4j Kotlin API team
[ANNOUNCE] Apache Log4j 2.22.1 released
The Apache Log4j team is pleased to announce the 2.22.1 release. Apache Log4j is a versatile, industrial-strength Java logging framework composed of an API, its implementation, and components to assist the deployment for various use cases. For further information (support, download, etc.) see the project website[1]. [1] https://logging.apache.org/log4j/ == Release Notes This release contains only dependency upgrades and bug fixes, which do not change the behavior of the artifacts. While maintaining compatibility with Java 8, the artifacts in this release where generated using JDK 17, unlike version `2.22.0` that used JDK 11. === Fixed * Mark `JdkMapAdapterStringMap` as frozen if map is immutable. (#2098) * Fix NPE in `CloseableThreadContext`. (#1426) * Use the module name of Conversant Media Disruptor from version `1.2.16+` of the library. * Fix NPE in `RollingFileManager`. (#1645) * Fix `log4j-to-slf4j` JPMS and OSGi descriptors. (#1983) * Workaround a Coursier/Ivy dependency resolution bug affecting `log4j-slf4j-impl` and `log4j-mongodb3`. (#2065) === Updated * Bumped the minimum Java version required for the build to Java 17. Runtime requirements remain unchanged. (#2021) * Update `com.github.luben:zstd-jni` to version `1.5.5-11` (#2030) * Update `com.google.guava:guava` to version `33.0.0-jre` (#2110) * Update `commons-codec:commons-codec` to version `1.16.0` (#2042) * Update `commons-io:commons-io` to version `2.15.1` (#2034) * Update `commons-logging:commons-logging` to version `1.3.0` (#2050) * Update `io.netty:netty-bom` to version `4.1.104.Final` (#2095) * Update `org.apache.commons:commons-compress` to version `1.25.0` (#2045) * Update `org.apache.commons:commons-dbcp2` to version `2.11.0` (#2048) * Update `org.apache.commons:commons-lang3` to version `3.14.0` (#2047) * Update `org.apache.commons:commons-pool2` to version `2.12.0` (#2057) * Update `org.apache.kafka:kafka-clients` to version `3.6.1` (#2068) * Update `org.apache.logging:logging-parent` to version `10.5.0` (#2119) * Update `org.jctools:jctools-core` to version `4.0.2` (#1984) * Update `org.springframework.boot:spring-boot` to version `2.7.18` (#1998) * Update `org.springframework.cloud:spring-cloud-dependencies` to version `2021.0.9` (#2109) Apache Log4j Team
Re: Reproducibility checks
Hi Gary, On Wed, 27 Dec 2023 at 13:58, Gary Gregory wrote: > Please include whatever instructions you want folks to run in the vote > email to prove reproducibility. Then at least we can agree on what it > means to do the reproducibility check and when it passes or fails, > assuming it's a binary property. The steps to check reproducibility are in the vote e-mail: # Verify reproduciblity umask 0022 unzip *-src.zip -d src cd src export NEXUS_REPO=https://repository.apache.org/content/repositories/orgapachelogging-1254 sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO > A long-standing pet peeve of mine is PMC members (in many projects, > I'm not singling out Log4j here) that vote on a release candidate > without stating _what_ they did to check the viability of said > release. > > If this matters, it should be an Apache requirement, which it is not ATM > AFAIK. I agree, there should be some minimal best practices for release verification. If Apache Security does not want ATM to set some guidelines, I wouldn't mind if Apache Commons did. BTW I cited your vote mail in this thread, mostly because you always describe what you are checking. >From the votes of some PMC members it is impossible to deduce what was checked. Piotr
Re: Reproducibility checks
Hi Piotr, Please include whatever instructions you want folks to run in the vote email to prove reproducibility. Then at least we can agree on what it means to do the reproducibility check and when it passes or fails, assuming it's a binary property. A long-standing pet peeve of mine is PMC members (in many projects, I'm not singling out Log4j here) that vote on a release candidate without stating _what_ they did to check the viability of said release. If this matters, it should be an Apache requirement, which it is not ATM AFAIK. Gary On Wed, Dec 27, 2023 at 4:26 AM Piotr P. Karwasz wrote: > > Hi Gary, > > On Sat, 23 Dec 2023 at 17:45, Gary Gregory wrote: > > > > +1 > > - Tested src zip file > > - ASC OK > > - SHA512 OK > > - `mvn clean verify` OK > > - Using: > > Apache Maven 3.9.6 (bc0240f3c744dd6b6ec2920b3cd08dcc295161ae) > > Maven home: /usr/local/Cellar/maven/3.9.6/libexec > > Java version: 17.0.9, vendor: Homebrew, runtime: > > /usr/local/Cellar/openjdk@17/17.0.9/libexec/openjdk.jdk/Contents/Home > > Default locale: en_US, platform encoding: UTF-8 > > OS name: "mac os x", version: "14.2.1", arch: "x86_64", family: "mac" > > Darwin 23.2.0 Darwin Kernel Version 23.2.0: Wed Nov 15 21:54:10 > > PST 2023; root:xnu-10002.61.3~2/RELEASE_X86_64 x86_64 > > Could you also add a reproducibility check in your next votes? > > For security reasons we can not release artifacts generated by the CI > unless we can reproduce them locally or we know what exactly is the > reason they can not be reproduced. > This burden obviously falls on the Release Manager, but it would be > nice to have independent confirmations before performing the release. > > After an actual release the Hervé's Reproducible Central project also > verifies our artifacts, the results can be found here: > > https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/logging/log4j/log4j/README.md > > Additional projects (like Commons Logging) can be added with PRs like this > one: > > https://github.com/jvm-repo-rebuild/reproducible-central/pull/134 > > Piotr > > PS: I'll try to add PRs for your recent Commons releases, when I'll > have some time.
Reproducibility checks
Hi Gary, On Sat, 23 Dec 2023 at 17:45, Gary Gregory wrote: > > +1 > - Tested src zip file > - ASC OK > - SHA512 OK > - `mvn clean verify` OK > - Using: > Apache Maven 3.9.6 (bc0240f3c744dd6b6ec2920b3cd08dcc295161ae) > Maven home: /usr/local/Cellar/maven/3.9.6/libexec > Java version: 17.0.9, vendor: Homebrew, runtime: > /usr/local/Cellar/openjdk@17/17.0.9/libexec/openjdk.jdk/Contents/Home > Default locale: en_US, platform encoding: UTF-8 > OS name: "mac os x", version: "14.2.1", arch: "x86_64", family: "mac" > Darwin 23.2.0 Darwin Kernel Version 23.2.0: Wed Nov 15 21:54:10 > PST 2023; root:xnu-10002.61.3~2/RELEASE_X86_64 x86_64 Could you also add a reproducibility check in your next votes? For security reasons we can not release artifacts generated by the CI unless we can reproduce them locally or we know what exactly is the reason they can not be reproduced. This burden obviously falls on the Release Manager, but it would be nice to have independent confirmations before performing the release. After an actual release the Hervé's Reproducible Central project also verifies our artifacts, the results can be found here: https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/logging/log4j/log4j/README.md Additional projects (like Commons Logging) can be added with PRs like this one: https://github.com/jvm-repo-rebuild/reproducible-central/pull/134 Piotr PS: I'll try to add PRs for your recent Commons releases, when I'll have some time.
