On a thread in general@incubator (the one with subject "Looking for a
champion: resurrect log4j 1.x") a member of the ZooKeeper PMC said they
would be moving to Logback, that is where I got that information from.
Yes I will open an discussion on dev@ and a JIRA soon. My opinion is log4j
2 has
This is the thread in zookeeper dev mailing list for discussing whether to
migrate to logback
https://lists.apache.org/thread/1ktv03wvqtfg22d13c1yo1lgnjv6xpkt
AFAICT they haven't decided yet, a member in the community posted exactly
what I want to say
I think it would be a mistake to use the
Although this isn't really the right place I did want to circle back here
because in this context we are discussing HBase 3 and voting on alpha
versions toward a GA version.
ZooKeeper has decided to migrate from log4j to logback. Perhaps there would
be interest in doing that here, before 3.0 is
https://github.com/apache/hbase/pull/3965
Andrew Purtell 于2021年12月19日周日 13:51写道:
> Sure, we are on the same page about this RC.
>
> > On Dec 18, 2021, at 9:46 PM, 张铎 wrote:
> >
> > I think we are on the same page that we should upgrade to the newest
> log4j2
> > version since the final
Sure, we are on the same page about this RC.
> On Dec 18, 2021, at 9:46 PM, 张铎 wrote:
>
> I think we are on the same page that we should upgrade to the newest log4j2
> version since the final release has not been published yet.
>
> But on log4j1, in our community we have discussed this
I think we are on the same page that we should upgrade to the newest log4j2
version since the final release has not been published yet.
But on log4j1, in our community we have discussed this before when there is
a CVE for it. You can view this page
https://logging.apache.org/log4j/1.2/
And even
As to your first point, I think it is a simple consideration: A user’s security
department or compliance regulator will ask: “Does this version include log4j
with a known CVE?” Why would we provide a release where they have to answer
“yes” when we can provide them a release where they can
After 2.15.0, all the problems require you manually put some special
markers in the pattern layout in your configuration file, so it is already
less hurt, we do not have something like %m{lookup} in the pattern layout
by default.
Anyway, since we haven’t released 3.0.0-alpha-2 yet, let’s upgrade
Apologies, I managed to hit the send button before finishing. My veto can
be cured by upgrading Log4J to ** 2.17.0 ** . See
https://logging.apache.org/log4j/2.x/security.html.
On Sat, Dec 18, 2021 at 1:22 PM Andrew Purtell wrote:
> -1 (binding)
>
> The Log4J issues are not fixed by 2.15.
>
> I
-1 (binding)
The Log4J issues are not fixed by 2.15.
I wish we had remained on Log4J 1. Hadoop 3 is still on 1, although I know
they have plans to upgrade. It does not seem advisable to use Log4J 2 at
all actually. Another option that does not include such a dangerous
reference/rewrite mechanism
+1 (binding)
* Xsums/sigs good
* Can build from source
* Log4j 2.15 is included (more on this in the below)
* log4j2.formatMsgNoLookups=true is set (multiple times per process, but
properly set)
* hbase-config.sh issue is fixed over rc1
Best as I've been able to keep up, it seems like we
+1
* Signature: ok
* Checksum : ok
* Rat check (1.8.0_301): ok
- mvn clean apache-rat:check
* Built from source (1.8.0_301): ok
- mvn clean install -DskipTests
* Unit tests pass (1.8.0_301): ok
- mvn package -P runSmallTests -Dsurefire.rerunFailingTestsCount=3
* Nightly build results look
Just a reminder, we still need more votes to make this release to address
the log4j2 CVE.
Nick Dimiduk 于2021年12月15日周三 04:38写道:
> +1
>
> * Signature: ok
> * Checksum : ok
> * Rat check (11.0.11): ok
> - mvn clean apache-rat:check -D skipTests
> * Built
+1
* Signature: ok
* Checksum : ok
* Rat check (11.0.11): ok
- mvn clean apache-rat:check -D skipTests
* Built from source (11.0.11): ok
- mvn clean install -D skipTests -DskipTests
On Tue, Dec 14, 2021 at 6:16 AM Duo Zhang wrote:
> Please vote
Please vote on this Apache hbase release candidate,
hbase-3.0.0-alpha-2RC1
The VOTE will remain open for at least 72 hours.
[ ] +1 Release this package as Apache hbase 3.0.0-alpha-2
[ ] -1 Do not release this package because ...
The tag to be voted on is 3.0.0-alpha-2RC1:
15 matches
Mail list logo