Hi, I've run VS 2010's static code analysis using the security rule set on the current code base and fixed all places where it complained about transparent code referencing security-critical code or code overriding security-critical methods.
The result is a bit more than the SecurityCritical attributes provided in JIRA patches or in patches I found floating around on the web (there are quite a few "make log4net work on 4.0 patchsets) - fortunately it seems to be a super set. By now I can log using .NET Client Profile and get the same 10 unit test failures on 4.0 that I get on 2.0 - I'd call that progress. The intermediate results can be found at <http://people.apache.org/~bodewig/log4net/> with net-cp holding the client profile compiled DLLs. Again, this is in no way a release and I may remove the directory without warning. We'll need to review the places I've marked up as SecuritySafeCritical in order to verify we don't need to perform additional security checks beyond what the called code will already do. The security ruleset also complains about a few other things that I may turn into JIRA issues for a future release soemtime later (much later, I guess). Stefan
