Re: [VOTE] Release log4cxx 1.1.0

-1 I believe a bad security vulnerability was introduced by a recent commit On Wed, 3 May 2023, 6:02 am Remko Popma, wrote: > +1 Remko > > On Wed, May 3, 2023 at 2:34 AM Thorsten Schöning > wrote: > > > Guten Tag Robert Middleton, > > am Dienstag, 2. Mai 2023 um 13:47 schrieben Sie: > > > > >

Re: [VOTE] Release Apache Log4j Transformation Tools 0.1.0

I am not able to follow: 88 LoC with ad-hoc exclusions . > Maven Assembly Plugin has reproducible builds. :-) You got me there. `git ls-tree | zip` requires an extra

Re: [VOTE] Release Apache Log4j Transformation Tools 0.1.0

Hi Volkan, On Tue, 2 May 2023 at 22:22, Volkan Yazıcı wrote: > Regarding `maven-assembly-plugin`... I simply don't get the motivation > behind replacing `git ls-files | zip` with hundreds of lines of XML > containing ad-hoc include/exclude statements in a module that needs to be > excluded in

Re: [VOTE] Release Apache Log4j Transformation Tools 0.1.0

What is the thing exactly cluttering here? It is as transparent as it can possibly get. Regarding `maven-assembly-plugin`... I simply don't get the motivation behind replacing `git ls-files | zip` with hundreds of lines of XML containing ad-hoc include/exclude statements in a module that needs to

Re: Discuss [VOTE] Release Apache Log4j Transformation Tools 0.1.0

Email archives are irrelevant for the provenance of sources; an arbitrary tag/commit not sealed with `rel/` prefix might disappear and we will lose the context to "what was proposed/rejected for release" . We don't have hundreds of releases with dozens of RCs for each. I would rather see my `git

Re: [VOTE] Release log4cxx 1.1.0

+1 Remko On Wed, May 3, 2023 at 2:34 AM Thorsten Schöning wrote: > Guten Tag Robert Middleton, > am Dienstag, 2. Mai 2023 um 13:47 schrieben Sie: > > > Please download, test, and cast your votes on the log4j developers list. > > [] +1, release the artifacts > > [] -1, don't release because... >

Re: [VOTE] Release Apache Log4j Transformation Tools 0.1.0

Uh? It should NOT contain an exact copy of a git repository, what do I need a ".github" folder for in order to build the project? I don't, it just clutter things up for no good reason. None of the Apache projects I've seen do this. It sounds like a convenience because it's easy as opposed to

Re: Discuss [VOTE] Release Apache Log4j Transformation Tools 0.1.0

What you are proposing IMO is confusing and clutters up the release tag space: "rel" stands for "releases", not for "candidates for releases that may be completely broken" :-( It is of zero use to downstream users, and it is only being proposed out of the convenience because some tool does it,

Re: [VOTE] Release log4cxx 1.1.0

+1 Verified signatures and checksums. On Tue, May 2, 2023 at 1:47 PM Robert Middleton wrote: > This is a vote to release log4cxx 1.1.0 > > Please download, test, and cast your votes on the log4j developers list. > [] +1, release the artifacts > [] -1, don't release because... > > This vote

Re: [VOTE] Release Apache Log4j Transformation Tools 0.1.0

I completely disagree. Generated ZIP archive contains _an exact copy_ of the repository snapshot used to generate the release. (In a nutshell, it is `git ls-files | zip` output.) Contrast this with Log4j, which bundles everything out there using the provided configuration composed of dozens of

[VOTE] (RC3) Release Apache Log4j Transformation Tools 0.1.0

The Apache Log4j Transformation Tools 0.1.0 release is now available for voting. This is the first release and it contains two modules: * [LOG4J2-3638]: Adds a bytecode transformation tool to provide location information without reflection. * [LOG4J2-673]: Adds a resource transformer for the

Re: [VOTE] Release Apache Log4j Transformation Tools 0.1.0

I agree that we should share the link to the `KEYS` file, granted that we also share the signing key's public ID. As a side note, the shared link is not a random one; it is the one used by Nexus to verify the signatures. (Yes, I am aware that Nexus is not recognized as an official distribution

Re: Discuss [VOTE] Release Apache Log4j Transformation Tools 0.1.0

I support the idea of using `rel/`-prefixed tags both for releases and RCs (release candidates). It matters for provenance, which is of subject for RCs too, in particular, the downvoted ones. Next to that, it is intuitive, one doesn't need to remember two different patterns to access releases and

Re: [VOTE] Release Apache Log4j Transformation Tools 0.1.0

I don’t see release notes or a download link at that site. Personally, I think the side nav link should be under a new “related projects” heading rather than making it appear that it is a component of Log4j2 itself. FWIW, I am leaving this under the vote thread since it sounds like you are

Re: [VOTE] Release log4cxx 1.1.0

Guten Tag Robert Middleton, am Dienstag, 2. Mai 2023 um 13:47 schrieben Sie: > Please download, test, and cast your votes on the log4j developers list. > [] +1, release the artifacts > [] -1, don't release because... +1 I've successfully compiled and ran tests using MS Visual Studio 17.5.5 64

Re: [VOTE] Release Apache Log4j Transformation Tools 0.1.0

+1 Tests the src zip, asc and SHA file OK despite the SHA file being broken as Ralph noted (there should not be a target folder in the name). mvn clean verify OK with: Apache Maven 3.9.1 (2e178502fcdbffc201671fb2537d0cb4b4cc58f8) Maven home: C:\java\apache-maven-3.9.1 Java version: 17.0.7,

Re: [VOTE] Release Apache Log4j Transformation Tools 0.1.0

HI Ralph: Nitpicking: I'm pretty sure you're supposed to test the src zip, not the repo. In theory these two are different because the zip should not contain extra non-source junk like the .github folder. Gary On 2023/05/02 04:29:22 Ralph Goers wrote: > +1 > > I checked out the tag and built

Re: [VOTE] Release Apache Log4j Transformation Tools 0.1.0

Another needed clean-up (not a blocker): The zip file has all sorts of git junk: a .github folder, a .gitignore file, and a .mvn folder (I certainly don't want extra maven junk either but that's just me)? There should only _sources_, not a snapshot of all files in the github repo. For example,

Re: [VOTE] Release Apache Log4j Transformation Tools 0.1.0

Note: > Signing key: > https://keyserver.ubuntu.com/pks/lookup?search=077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0=on=index A random link on the internet is irrelevant, what matters is what is in our KEYS file at: https://downloads.apache.org/logging/KEYS Gary On 2023/05/01 19:09:37 "Piotr P.

[VOTE] Release log4cxx 1.1.0

This is a vote to release log4cxx 1.1.0 Please download, test, and cast your votes on the log4j developers list. [] +1, release the artifacts [] -1, don't release because... This vote will remain open for 72 hours(or more if required). All votes are welcome and we encourage everyone to test the

Re: [VOTE] Release Apache Log4j Transformation Tools 0.1.0

Hi, On Mon, 1 May 2023 at 21:09, Piotr P. Karwasz wrote: > * [LOG4J2-3638]: Adds a bytecode transformation tool to provide > location information without reflection. There is a small but pesky restriction in the Maven plugin: there is no includes/excludes setting. While not a problem for the