They _can_ be included as binaries, though they require calling out. I've generally been under the impression that dependencies on cat B or X need to generally be optional. Though the security issues with v1 are a larger concern, agreed.
On Thu, Feb 10, 2022 at 10:46 AM Ralph Goers <[email protected]> wrote: > > I’m not sure I understand your concern. Category B licensed works can be > included as binaries. > > However, I expressed a concern on this Jira issue about projects that believe > they are OK using reload4j since we are still getting security vulnerability > reports for Log4j 1. > > > Ralph > > > On Feb 9, 2022, at 6:54 PM, Matt Sicker <[email protected]> wrote: > > > > I’m not sure how any PMCs are getting away with distributing Logback as > > it’s under class B licenses. More info: > > https://www.apache.org/legal/resolved.html#category-b > > > > — > > Matt Sicker > > > >> On Feb 9, 2022, at 14:16, Gary Gregory <[email protected]> wrote: > >> > >> FYI > >> > >> ---------- Forwarded message --------- > >> From: Chris Nauroth (Jira) <[email protected]> > >> Date: Wed, Feb 9, 2022, 14:11 > >> Subject: [jira] [Resolved] (ZOOKEEPER-2342) Migrate to Log4J 2. > >> To: <[email protected]> > >> > >> > >> > >> [ > >> https://issues.apache.org/jira/browse/ZOOKEEPER-2342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel > >> ] > >> > >> Chris Nauroth resolved ZOOKEEPER-2342. > >> -------------------------------------- > >> Resolution: Won't Do > >> > >> ZOOKEEPER-4427 has been committed to migrate to Logback in a new major > >> version (with the option to swap out the SLF4J back-end if users prefer > >> Log4J 2). For prior version lines, discussion is under way on the dev > >> mailing list considering reload4j and the new bridge released by Apache > >> Logging. > >> > >> I'm going to close out this issue, because there is no longer community > >> interest in the earlier Log4J 2 migration work from a few years ago. Thank > >> you to everyone who participated on this issue. > >> > >>> Migrate to Log4J 2. > >>> ------------------- > >>> > >>> Key: ZOOKEEPER-2342 > >>> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2342 > >>> Project: ZooKeeper > >>> Issue Type: Bug > >>> Reporter: Chris Nauroth > >>> Assignee: Chris Nauroth > >>> Priority: Major > >>> Attachments: ZOOKEEPER-2342.001.patch > >>> > >>> > >>> ZOOKEEPER-1371 removed our source code dependency on Log4J. It appears > >> that this also removed the Log4J SLF4J binding jar from the runtime > >> classpath. Without any SLF4J binding jar available on the runtime > >> classpath, it is impossible to write logs. > >>> This JIRA investigated migration to Log4J 2 as a possible path towards > >> resolving the bug introduced by ZOOKEEPER-1371. At this point, we know > >> this is not feasible short-term. This JIRA remains open to track long-term > >> migration to Log4J 2. > >> > >> > >> > >> -- > >> This message was sent by Atlassian Jira > >> (v8.20.1#820001) >
