Re: [DISCUSS] upgrading log4j to to log4j2 in Tika's 1.x branch

2021-12-15 Thread Luís Filipe Nassif 
Great, Thank you, Tim!

Em qua., 15 de dez. de 2021 às 16:50, Tim Allison 
escreveu:

> I've merged Lewis's edits to the README and added the EOL.  Let's do
> what both Konstantin and Nick recommend: README, notifications to
> user/dev lists x months out and include EOL in all release messages?
>
> Please let me know/edit the README if there are other improvements we
> should make.
>
> Thank you, all!
>
> Cheers,
>
>  Tim
>
> On Wed, Dec 15, 2021 at 1:20 PM Konstantin Gribov 
> wrote:
> >
> > My +1 to EOL on September 30, 2022 with effective backport submission
> > freeze 3 months before that.
> >
> > I think it would be better if we mention the EOL timeline at least in 3
> > places: in each release announcement, in README and on the site (on the
> > main page or in release news articles). Different downstream users look
> at
> > different sources, so more visibility seems to be a good idea to me. I
> saw
> > a lot of projects still using log4j 1.2.x in the wild and have a feeling
> > that it's partially due to lack of visibility about its EOL.
> >
> > Also we can send a message to announce@a.o (if it's not discouraged by
> ASF
> > policies, I don't recall if somebody did something similar before),
> > user@tika.a.o and dev@tika.a.o 6 and 3 months before EOL date.
> >
> > --
> > Best regards,
> > Konstantin Gribov.
> >
> >
> > On Wed, Dec 15, 2021 at 9:00 PM Nick Burch  wrote:
> >
> > > On Wed, 15 Dec 2021, Tim Allison wrote:
> > > > Sounds good, Nick.  Unless there are objections, I'll add an EOL
> > > > September 30, 2022 for the 1.x branch on our github README and maybe
> our
> > > > site somewhere?
> > >
> > > Maybe just mention it in the news section at the end any 1.x fix
> releases?
> > >
> > > Nick
> > >
>

Re: [DISCUSS] upgrading log4j to to log4j2 in Tika's 1.x branch

2021-12-15 Thread Tim Allison 
I've merged Lewis's edits to the README and added the EOL.  Let's do
what both Konstantin and Nick recommend: README, notifications to
user/dev lists x months out and include EOL in all release messages?

Please let me know/edit the README if there are other improvements we
should make.

Thank you, all!

Cheers,

 Tim

On Wed, Dec 15, 2021 at 1:20 PM Konstantin Gribov  wrote:
>
> My +1 to EOL on September 30, 2022 with effective backport submission
> freeze 3 months before that.
>
> I think it would be better if we mention the EOL timeline at least in 3
> places: in each release announcement, in README and on the site (on the
> main page or in release news articles). Different downstream users look at
> different sources, so more visibility seems to be a good idea to me. I saw
> a lot of projects still using log4j 1.2.x in the wild and have a feeling
> that it's partially due to lack of visibility about its EOL.
>
> Also we can send a message to announce@a.o (if it's not discouraged by ASF
> policies, I don't recall if somebody did something similar before),
> user@tika.a.o and dev@tika.a.o 6 and 3 months before EOL date.
>
> --
> Best regards,
> Konstantin Gribov.
>
>
> On Wed, Dec 15, 2021 at 9:00 PM Nick Burch  wrote:
>
> > On Wed, 15 Dec 2021, Tim Allison wrote:
> > > Sounds good, Nick.  Unless there are objections, I'll add an EOL
> > > September 30, 2022 for the 1.x branch on our github README and maybe our
> > > site somewhere?
> >
> > Maybe just mention it in the news section at the end any 1.x fix releases?
> >
> > Nick
> >

Re: [DISCUSS] upgrading log4j to to log4j2 in Tika's 1.x branch

2021-12-15 Thread Konstantin Gribov 
My +1 to EOL on September 30, 2022 with effective backport submission
freeze 3 months before that.

I think it would be better if we mention the EOL timeline at least in 3
places: in each release announcement, in README and on the site (on the
main page or in release news articles). Different downstream users look at
different sources, so more visibility seems to be a good idea to me. I saw
a lot of projects still using log4j 1.2.x in the wild and have a feeling
that it's partially due to lack of visibility about its EOL.

Also we can send a message to announce@a.o (if it's not discouraged by ASF
policies, I don't recall if somebody did something similar before),
user@tika.a.o and dev@tika.a.o 6 and 3 months before EOL date.

-- 
Best regards,
Konstantin Gribov.


On Wed, Dec 15, 2021 at 9:00 PM Nick Burch  wrote:

> On Wed, 15 Dec 2021, Tim Allison wrote:
> > Sounds good, Nick.  Unless there are objections, I'll add an EOL
> > September 30, 2022 for the 1.x branch on our github README and maybe our
> > site somewhere?
>
> Maybe just mention it in the news section at the end any 1.x fix releases?
>
> Nick
>

Re: [DISCUSS] upgrading log4j to to log4j2 in Tika's 1.x branch

2021-12-15 Thread Nick Burch 

On Wed, 15 Dec 2021, Tim Allison wrote:
Sounds good, Nick.  Unless there are objections, I'll add an EOL 
September 30, 2022 for the 1.x branch on our github README and maybe our 
site somewhere?


Maybe just mention it in the news section at the end any 1.x fix releases?

Nick

Re: [DISCUSS] upgrading log4j to to log4j2 in Tika's 1.x branch

2021-12-15 Thread Tim Allison 
Sounds good, Nick.  Unless there are objections, I'll add an EOL
September 30, 2022 for the 1.x branch on our github README and maybe
our site somewhere?

>I'm not keen on adding new features to 1.x, as that'll only encourage
people to stick on the old one, but I wouldn't go as far as -1'ing other
people's backports if they're still keen, at least for a while!

Agreed.

Onwards!

Cheers,

  Tim


On Wed, Dec 15, 2021 at 10:01 AM Nick Burch  wrote:
>
> On Wed, 15 Dec 2021, Tim Allison wrote:
> > I think we should keep the 1.x branch open for security upgrades for a
> > bit...middle of next year?  I have _not_ been adding new features or
> > even some bug fixes to 1.x, and I encourage people to migrate to 2.x.
>
> We've seen quite a few queries from people struggling to upgrade in the
> last few weeks, so I think it's fair to say we must have a decent number
> of 1.x users still. For an example, Alfresco only upgraded a couple of
> weeks ago, and that's only on their main branch, so it'll be a while until
> it's in their releases.
>
> I'm not keen on adding new features to 1.x, as that'll only encourage
> people to stick on the old one, but I wouldn't go as far as -1'ing other
> people's backports if they're still keen, at least for a while!
>
> I'd be minded to say we probably need to keep on top of security stuff
> until something like September 2022, to give people just over a year to
> upgrade to 2.x. I'm minded to say we allow anyone keen to backport
> bugfixes etc until 3 months before that, but effectively discourage it for
> the last part to help encourage hold-outs to move. I think we should post
> something on the site about the planned EOL timeline, linking once more to
> the wonderful migrating resource on the wiki.
>
> Nick

Re: [DISCUSS] upgrading log4j to to log4j2 in Tika's 1.x branch

2021-12-15 Thread Nick Burch 

On Wed, 15 Dec 2021, Tim Allison wrote:
I think we should keep the 1.x branch open for security upgrades for a 
bit...middle of next year?  I have _not_ been adding new features or 
even some bug fixes to 1.x, and I encourage people to migrate to 2.x.


We've seen quite a few queries from people struggling to upgrade in the 
last few weeks, so I think it's fair to say we must have a decent number 
of 1.x users still. For an example, Alfresco only upgraded a couple of 
weeks ago, and that's only on their main branch, so it'll be a while until 
it's in their releases.


I'm not keen on adding new features to 1.x, as that'll only encourage 
people to stick on the old one, but I wouldn't go as far as -1'ing other 
people's backports if they're still keen, at least for a while!


I'd be minded to say we probably need to keep on top of security stuff 
until something like September 2022, to give people just over a year to 
upgrade to 2.x. I'm minded to say we allow anyone keen to backport 
bugfixes etc until 3 months before that, but effectively discourage it for 
the last part to help encourage hold-outs to move. I think we should post 
something on the site about the planned EOL timeline, linking once more to 
the wonderful migrating resource on the wiki.


Nick

Re: [DISCUSS] upgrading log4j to to log4j2 in Tika's 1.x branch

2021-12-15 Thread Tim Allison 
It didn't take too long, and as long as the original author of the
metrics stuff in tika-server isn't too concerned about breaking
changes, let's hope for the best. Log4j 1.x is so far beyond its EOL,
it is embarrassing.

I think we should keep the 1.x branch open for security upgrades for a
bit...middle of next year?  I have _not_ been adding new features or
even some bug fixes to 1.x, and I encourage people to migrate to 2.x.

What do others think?

On Tue, Dec 14, 2021 at 8:05 PM Luís Filipe Nassif  wrote:
>
> Sorry about the additional work, Tim. I thought upgrading from log4j-1.x to
> 2.x on Tika-1.x maybe could not be that hard and didn't know about breaking
> changes.
>
> Related to Eric's email, would we support Tika-1.x security updates for
> some while (that was my intent with the proposal above)? Was this already
> discussed?
>
> Best regards,
> Luis Filipe
>
>
>
> Em seg., 13 de dez. de 2021 às 17:23, Tim Allison 
> escreveu:
>
> > Yes.  That was the reasoning behind my -0.  I don't think this will
> > destroy our resources, but yes, please do migrate to 2.x asap.
> >
> >
> > On Mon, Dec 13, 2021 at 3:13 PM Eric Pugh
> >  wrote:
> > >
> > > Isn’t the goal of Tika 2 to mean that we no longer work on Tika 1?
> >  Does the Tika community have enough developer bandwidth to continue to
> > maintain Tika 1 while also pushing forward on Tika 2?
> > >
> > > I worry that we’ll fall into that situation where people just end up
> > using Tika 1 for forever, especially if there are new updates to it that
> > are happening, which then encourages folks not to move to Tika 2.
> > >
> > >
> > >
> > >
> > > > On Dec 13, 2021, at 2:49 PM, Tim Allison  wrote:
> > > >
> > > > Sounds like 2 +1 to my -0. :D  I'll start working on this now.
> > > >
> > > > On Mon, Dec 13, 2021 at 2:09 PM Nicholas DiPiazza
> > > >  wrote:
> > > >>
> > > >> I prefer upgrade to log4j2
> > > >>
> > > >> On Mon, Dec 13, 2021, 12:05 PM Tim Allison 
> > wrote:
> > > >>
> > > >>> All,
> > > >>>  I'm currently in the process of building the rc1 for Tika 2.x. On
> > > >>> TIKA-3616, Luís Filipe Nassif asked if we could upgrade log4j to
> > > >>> log4j2 in the 1.x branch.  I think we avoided that because it would
> > be
> > > >>> a breaking change(?).  There are security vulns in log4j and it hit
> > > >>> EOL
> > > >>> in August 2015.
> > > >>>  Should we upgrade the Tika 1.x branch for log4j2?
> > > >>>
> > > >>>  Best,
> > > >>>
> > > >>>   Tim
> > > >>>
> > > >>>
> > > >>> [1]
> > > >>>
> > https://issues.apache.org/jira/browse/TIKA-3616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17457595#comment-17457595
> > > >>>
> > >
> > > ___
> > > Eric Pugh | Founder & CEO | OpenSource Connections, LLC | 434.466.1467 |
> > http://www.opensourceconnections.com <
> > http://www.opensourceconnections.com/> | My Free/Busy <
> > http://tinyurl.com/eric-cal>
> > > Co-Author: Apache Solr Enterprise Search Server, 3rd Ed <
> > https://www.packtpub.com/big-data-and-business-intelligence/apache-solr-enterprise-search-server-third-edition-raw
> > >
> > > This e-mail and all contents, including attachments, is considered to be
> > Company Confidential unless explicitly stated otherwise, regardless of
> > whether attachments are marked as such.
> > >
> >

Re: [DISCUSS] upgrading log4j to to log4j2 in Tika's 1.x branch

2021-12-14 Thread Tilman Hausherr 

Am 13.12.2021 um 19:05 schrieb Tim Allison:

All,
   I'm currently in the process of building the rc1 for Tika 2.x. On
TIKA-3616, Luís Filipe Nassif asked if we could upgrade log4j to
log4j2 in the 1.x branch.  I think we avoided that because it would be
a breaking change(?).  There are security vulns in log4j and it hit
EOL
in August 2015.
   Should we upgrade the Tika 1.x branch for log4j2?



Yes

Tilman




   Best,

Tim


[1] 
https://issues.apache.org/jira/browse/TIKA-3616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17457595#comment-17457595

Re: [DISCUSS] upgrading log4j to to log4j2 in Tika's 1.x branch

2021-12-14 Thread Konstantin Gribov 
Hi, folks.

I'm +1 to both updating to log4j2 or logback and supporting security
updates for some time if we can but encourage migration to 2.2+ ASAP. Maybe
we should publish some EOL date in the 2.2.0 announcement if we didn't
before. It should give both time scope for migration and limit committers'
burden supporting 1.x with transparent EOL date.

Just my 2c

-- 
Best regards,
Konstantin Gribov.


On Wed, Dec 15, 2021 at 4:05 AM Luís Filipe Nassif 
wrote:

> Sorry about the additional work, Tim. I thought upgrading from log4j-1.x to
> 2.x on Tika-1.x maybe could not be that hard and didn't know about breaking
> changes.
>
> Related to Eric's email, would we support Tika-1.x security updates for
> some while (that was my intent with the proposal above)? Was this already
> discussed?
>
> Best regards,
> Luis Filipe
>
>
>
> Em seg., 13 de dez. de 2021 às 17:23, Tim Allison 
> escreveu:
>
> > Yes.  That was the reasoning behind my -0.  I don't think this will
> > destroy our resources, but yes, please do migrate to 2.x asap.
> >
> >
> > On Mon, Dec 13, 2021 at 3:13 PM Eric Pugh
> >  wrote:
> > >
> > > Isn’t the goal of Tika 2 to mean that we no longer work on Tika 1?
> >  Does the Tika community have enough developer bandwidth to continue to
> > maintain Tika 1 while also pushing forward on Tika 2?
> > >
> > > I worry that we’ll fall into that situation where people just end up
> > using Tika 1 for forever, especially if there are new updates to it that
> > are happening, which then encourages folks not to move to Tika 2.
> > >
> > >
> > >
> > >
> > > > On Dec 13, 2021, at 2:49 PM, Tim Allison 
> wrote:
> > > >
> > > > Sounds like 2 +1 to my -0. :D  I'll start working on this now.
> > > >
> > > > On Mon, Dec 13, 2021 at 2:09 PM Nicholas DiPiazza
> > > >  wrote:
> > > >>
> > > >> I prefer upgrade to log4j2
> > > >>
> > > >> On Mon, Dec 13, 2021, 12:05 PM Tim Allison 
> > wrote:
> > > >>
> > > >>> All,
> > > >>>  I'm currently in the process of building the rc1 for Tika 2.x. On
> > > >>> TIKA-3616, Luís Filipe Nassif asked if we could upgrade log4j to
> > > >>> log4j2 in the 1.x branch.  I think we avoided that because it would
> > be
> > > >>> a breaking change(?).  There are security vulns in log4j and it hit
> > > >>> EOL
> > > >>> in August 2015.
> > > >>>  Should we upgrade the Tika 1.x branch for log4j2?
> > > >>>
> > > >>>  Best,
> > > >>>
> > > >>>   Tim
> > > >>>
> > > >>>
> > > >>> [1]
> > > >>>
> >
> https://issues.apache.org/jira/browse/TIKA-3616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17457595#comment-17457595
> > > >>>
> > >
> > > ___
> > > Eric Pugh | Founder & CEO | OpenSource Connections, LLC | 434.466.1467
> |
> > http://www.opensourceconnections.com <
> > http://www.opensourceconnections.com/> | My Free/Busy <
> > http://tinyurl.com/eric-cal>
> > > Co-Author: Apache Solr Enterprise Search Server, 3rd Ed <
> >
> https://www.packtpub.com/big-data-and-business-intelligence/apache-solr-enterprise-search-server-third-edition-raw
> > >
> > > This e-mail and all contents, including attachments, is considered to
> be
> > Company Confidential unless explicitly stated otherwise, regardless of
> > whether attachments are marked as such.
> > >
> >
>

Re: [DISCUSS] upgrading log4j to to log4j2 in Tika's 1.x branch

2021-12-14 Thread Luís Filipe Nassif 
Sorry about the additional work, Tim. I thought upgrading from log4j-1.x to
2.x on Tika-1.x maybe could not be that hard and didn't know about breaking
changes.

Related to Eric's email, would we support Tika-1.x security updates for
some while (that was my intent with the proposal above)? Was this already
discussed?

Best regards,
Luis Filipe



Em seg., 13 de dez. de 2021 às 17:23, Tim Allison 
escreveu:

> Yes.  That was the reasoning behind my -0.  I don't think this will
> destroy our resources, but yes, please do migrate to 2.x asap.
>
>
> On Mon, Dec 13, 2021 at 3:13 PM Eric Pugh
>  wrote:
> >
> > Isn’t the goal of Tika 2 to mean that we no longer work on Tika 1?
>  Does the Tika community have enough developer bandwidth to continue to
> maintain Tika 1 while also pushing forward on Tika 2?
> >
> > I worry that we’ll fall into that situation where people just end up
> using Tika 1 for forever, especially if there are new updates to it that
> are happening, which then encourages folks not to move to Tika 2.
> >
> >
> >
> >
> > > On Dec 13, 2021, at 2:49 PM, Tim Allison  wrote:
> > >
> > > Sounds like 2 +1 to my -0. :D  I'll start working on this now.
> > >
> > > On Mon, Dec 13, 2021 at 2:09 PM Nicholas DiPiazza
> > >  wrote:
> > >>
> > >> I prefer upgrade to log4j2
> > >>
> > >> On Mon, Dec 13, 2021, 12:05 PM Tim Allison 
> wrote:
> > >>
> > >>> All,
> > >>>  I'm currently in the process of building the rc1 for Tika 2.x. On
> > >>> TIKA-3616, Luís Filipe Nassif asked if we could upgrade log4j to
> > >>> log4j2 in the 1.x branch.  I think we avoided that because it would
> be
> > >>> a breaking change(?).  There are security vulns in log4j and it hit
> > >>> EOL
> > >>> in August 2015.
> > >>>  Should we upgrade the Tika 1.x branch for log4j2?
> > >>>
> > >>>  Best,
> > >>>
> > >>>   Tim
> > >>>
> > >>>
> > >>> [1]
> > >>>
> https://issues.apache.org/jira/browse/TIKA-3616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17457595#comment-17457595
> > >>>
> >
> > ___
> > Eric Pugh | Founder & CEO | OpenSource Connections, LLC | 434.466.1467 |
> http://www.opensourceconnections.com <
> http://www.opensourceconnections.com/> | My Free/Busy <
> http://tinyurl.com/eric-cal>
> > Co-Author: Apache Solr Enterprise Search Server, 3rd Ed <
> https://www.packtpub.com/big-data-and-business-intelligence/apache-solr-enterprise-search-server-third-edition-raw
> >
> > This e-mail and all contents, including attachments, is considered to be
> Company Confidential unless explicitly stated otherwise, regardless of
> whether attachments are marked as such.
> >
>

Re: [DISCUSS] upgrading log4j to to log4j2 in Tika's 1.x branch

2021-12-13 Thread Tim Allison 
Yes.  That was the reasoning behind my -0.  I don't think this will
destroy our resources, but yes, please do migrate to 2.x asap.


On Mon, Dec 13, 2021 at 3:13 PM Eric Pugh
 wrote:
>
> Isn’t the goal of Tika 2 to mean that we no longer work on Tika 1?   Does the 
> Tika community have enough developer bandwidth to continue to maintain Tika 1 
> while also pushing forward on Tika 2?
>
> I worry that we’ll fall into that situation where people just end up using 
> Tika 1 for forever, especially if there are new updates to it that are 
> happening, which then encourages folks not to move to Tika 2.
>
>
>
>
> > On Dec 13, 2021, at 2:49 PM, Tim Allison  wrote:
> >
> > Sounds like 2 +1 to my -0. :D  I'll start working on this now.
> >
> > On Mon, Dec 13, 2021 at 2:09 PM Nicholas DiPiazza
> >  wrote:
> >>
> >> I prefer upgrade to log4j2
> >>
> >> On Mon, Dec 13, 2021, 12:05 PM Tim Allison  wrote:
> >>
> >>> All,
> >>>  I'm currently in the process of building the rc1 for Tika 2.x. On
> >>> TIKA-3616, Luís Filipe Nassif asked if we could upgrade log4j to
> >>> log4j2 in the 1.x branch.  I think we avoided that because it would be
> >>> a breaking change(?).  There are security vulns in log4j and it hit
> >>> EOL
> >>> in August 2015.
> >>>  Should we upgrade the Tika 1.x branch for log4j2?
> >>>
> >>>  Best,
> >>>
> >>>   Tim
> >>>
> >>>
> >>> [1]
> >>> https://issues.apache.org/jira/browse/TIKA-3616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17457595#comment-17457595
> >>>
>
> ___
> Eric Pugh | Founder & CEO | OpenSource Connections, LLC | 434.466.1467 | 
> http://www.opensourceconnections.com  
> | My Free/Busy 
> Co-Author: Apache Solr Enterprise Search Server, 3rd Ed 
> 
> This e-mail and all contents, including attachments, is considered to be 
> Company Confidential unless explicitly stated otherwise, regardless of 
> whether attachments are marked as such.
>

Re: [DISCUSS] upgrading log4j to to log4j2 in Tika's 1.x branch

2021-12-13 Thread Eric Pugh 
Isn’t the goal of Tika 2 to mean that we no longer work on Tika 1?   Does the 
Tika community have enough developer bandwidth to continue to maintain Tika 1 
while also pushing forward on Tika 2?

I worry that we’ll fall into that situation where people just end up using Tika 
1 for forever, especially if there are new updates to it that are happening, 
which then encourages folks not to move to Tika 2.




> On Dec 13, 2021, at 2:49 PM, Tim Allison  wrote:
> 
> Sounds like 2 +1 to my -0. :D  I'll start working on this now.
> 
> On Mon, Dec 13, 2021 at 2:09 PM Nicholas DiPiazza
>  wrote:
>> 
>> I prefer upgrade to log4j2
>> 
>> On Mon, Dec 13, 2021, 12:05 PM Tim Allison  wrote:
>> 
>>> All,
>>>  I'm currently in the process of building the rc1 for Tika 2.x. On
>>> TIKA-3616, Luís Filipe Nassif asked if we could upgrade log4j to
>>> log4j2 in the 1.x branch.  I think we avoided that because it would be
>>> a breaking change(?).  There are security vulns in log4j and it hit
>>> EOL
>>> in August 2015.
>>>  Should we upgrade the Tika 1.x branch for log4j2?
>>> 
>>>  Best,
>>> 
>>>   Tim
>>> 
>>> 
>>> [1]
>>> https://issues.apache.org/jira/browse/TIKA-3616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17457595#comment-17457595
>>> 

___
Eric Pugh | Founder & CEO | OpenSource Connections, LLC | 434.466.1467 | 
http://www.opensourceconnections.com  | 
My Free/Busy   
Co-Author: Apache Solr Enterprise Search Server, 3rd Ed 


This e-mail and all contents, including attachments, is considered to be 
Company Confidential unless explicitly stated otherwise, regardless of whether 
attachments are marked as such.

Re: [DISCUSS] upgrading log4j to to log4j2 in Tika's 1.x branch

2021-12-13 Thread Tim Allison 
Sounds like 2 +1 to my -0. :D  I'll start working on this now.

On Mon, Dec 13, 2021 at 2:09 PM Nicholas DiPiazza
 wrote:
>
> I prefer upgrade to log4j2
>
> On Mon, Dec 13, 2021, 12:05 PM Tim Allison  wrote:
>
> > All,
> >   I'm currently in the process of building the rc1 for Tika 2.x. On
> > TIKA-3616, Luís Filipe Nassif asked if we could upgrade log4j to
> > log4j2 in the 1.x branch.  I think we avoided that because it would be
> > a breaking change(?).  There are security vulns in log4j and it hit
> > EOL
> > in August 2015.
> >   Should we upgrade the Tika 1.x branch for log4j2?
> >
> >   Best,
> >
> >Tim
> >
> >
> > [1]
> > https://issues.apache.org/jira/browse/TIKA-3616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17457595#comment-17457595
> >

Re: [DISCUSS] upgrading log4j to to log4j2 in Tika's 1.x branch

2021-12-13 Thread Nicholas DiPiazza 
I prefer upgrade to log4j2

On Mon, Dec 13, 2021, 12:05 PM Tim Allison  wrote:

> All,
>   I'm currently in the process of building the rc1 for Tika 2.x. On
> TIKA-3616, Luís Filipe Nassif asked if we could upgrade log4j to
> log4j2 in the 1.x branch.  I think we avoided that because it would be
> a breaking change(?).  There are security vulns in log4j and it hit
> EOL
> in August 2015.
>   Should we upgrade the Tika 1.x branch for log4j2?
>
>   Best,
>
>Tim
>
>
> [1]
> https://issues.apache.org/jira/browse/TIKA-3616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17457595#comment-17457595
>

[DISCUSS] upgrading log4j to to log4j2 in Tika's 1.x branch

2021-12-13 Thread Tim Allison 
All,
  I'm currently in the process of building the rc1 for Tika 2.x. On
TIKA-3616, Luís Filipe Nassif asked if we could upgrade log4j to
log4j2 in the 1.x branch.  I think we avoided that because it would be
a breaking change(?).  There are security vulns in log4j and it hit
EOL
in August 2015.
  Should we upgrade the Tika 1.x branch for log4j2?

  Best,

   Tim


[1] 
https://issues.apache.org/jira/browse/TIKA-3616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17457595#comment-17457595