I’m not sure I understand your concern. Category B licensed works can be included as binaries.
However, I expressed a concern on this Jira issue about projects that believe they are OK using reload4j since we are still getting security vulnerability reports for Log4j 1. Ralph > On Feb 9, 2022, at 6:54 PM, Matt Sicker <[email protected]> wrote: > > I’m not sure how any PMCs are getting away with distributing Logback as it’s > under class B licenses. More info: > https://www.apache.org/legal/resolved.html#category-b > > — > Matt Sicker > >> On Feb 9, 2022, at 14:16, Gary Gregory <[email protected]> wrote: >> >> FYI >> >> ---------- Forwarded message --------- >> From: Chris Nauroth (Jira) <[email protected]> >> Date: Wed, Feb 9, 2022, 14:11 >> Subject: [jira] [Resolved] (ZOOKEEPER-2342) Migrate to Log4J 2. >> To: <[email protected]> >> >> >> >> [ >> https://issues.apache.org/jira/browse/ZOOKEEPER-2342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel >> ] >> >> Chris Nauroth resolved ZOOKEEPER-2342. >> -------------------------------------- >> Resolution: Won't Do >> >> ZOOKEEPER-4427 has been committed to migrate to Logback in a new major >> version (with the option to swap out the SLF4J back-end if users prefer >> Log4J 2). For prior version lines, discussion is under way on the dev >> mailing list considering reload4j and the new bridge released by Apache >> Logging. >> >> I'm going to close out this issue, because there is no longer community >> interest in the earlier Log4J 2 migration work from a few years ago. Thank >> you to everyone who participated on this issue. >> >>> Migrate to Log4J 2. >>> ------------------- >>> >>> Key: ZOOKEEPER-2342 >>> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2342 >>> Project: ZooKeeper >>> Issue Type: Bug >>> Reporter: Chris Nauroth >>> Assignee: Chris Nauroth >>> Priority: Major >>> Attachments: ZOOKEEPER-2342.001.patch >>> >>> >>> ZOOKEEPER-1371 removed our source code dependency on Log4J. It appears >> that this also removed the Log4J SLF4J binding jar from the runtime >> classpath. Without any SLF4J binding jar available on the runtime >> classpath, it is impossible to write logs. >>> This JIRA investigated migration to Log4J 2 as a possible path towards >> resolving the bug introduced by ZOOKEEPER-1371. At this point, we know >> this is not feasible short-term. This JIRA remains open to track long-term >> migration to Log4J 2. >> >> >> >> -- >> This message was sent by Atlassian Jira >> (v8.20.1#820001)
