No. Category B dependencies do not need to be optional. They simply need to be called out in the NOTICES file.
Ralph > On Feb 10, 2022, at 10:32 AM, Matt Sicker <[email protected]> wrote: > > They _can_ be included as binaries, though they require calling out. > I've generally been under the impression that dependencies on cat B or > X need to generally be optional. Though the security issues with v1 > are a larger concern, agreed. > > On Thu, Feb 10, 2022 at 10:46 AM Ralph Goers <[email protected]> > wrote: >> >> I’m not sure I understand your concern. Category B licensed works can be >> included as binaries. >> >> However, I expressed a concern on this Jira issue about projects that >> believe they are OK using reload4j since we are still getting security >> vulnerability reports for Log4j 1. >> >> >> Ralph >> >>> On Feb 9, 2022, at 6:54 PM, Matt Sicker <[email protected]> wrote: >>> >>> I’m not sure how any PMCs are getting away with distributing Logback as >>> it’s under class B licenses. More info: >>> https://www.apache.org/legal/resolved.html#category-b >>> >>> — >>> Matt Sicker >>> >>>> On Feb 9, 2022, at 14:16, Gary Gregory <[email protected]> wrote: >>>> >>>> FYI >>>> >>>> ---------- Forwarded message --------- >>>> From: Chris Nauroth (Jira) <[email protected]> >>>> Date: Wed, Feb 9, 2022, 14:11 >>>> Subject: [jira] [Resolved] (ZOOKEEPER-2342) Migrate to Log4J 2. >>>> To: <[email protected]> >>>> >>>> >>>> >>>> [ >>>> https://issues.apache.org/jira/browse/ZOOKEEPER-2342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel >>>> ] >>>> >>>> Chris Nauroth resolved ZOOKEEPER-2342. >>>> -------------------------------------- >>>> Resolution: Won't Do >>>> >>>> ZOOKEEPER-4427 has been committed to migrate to Logback in a new major >>>> version (with the option to swap out the SLF4J back-end if users prefer >>>> Log4J 2). For prior version lines, discussion is under way on the dev >>>> mailing list considering reload4j and the new bridge released by Apache >>>> Logging. >>>> >>>> I'm going to close out this issue, because there is no longer community >>>> interest in the earlier Log4J 2 migration work from a few years ago. Thank >>>> you to everyone who participated on this issue. >>>> >>>>> Migrate to Log4J 2. >>>>> ------------------- >>>>> >>>>> Key: ZOOKEEPER-2342 >>>>> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2342 >>>>> Project: ZooKeeper >>>>> Issue Type: Bug >>>>> Reporter: Chris Nauroth >>>>> Assignee: Chris Nauroth >>>>> Priority: Major >>>>> Attachments: ZOOKEEPER-2342.001.patch >>>>> >>>>> >>>>> ZOOKEEPER-1371 removed our source code dependency on Log4J. It appears >>>> that this also removed the Log4J SLF4J binding jar from the runtime >>>> classpath. Without any SLF4J binding jar available on the runtime >>>> classpath, it is impossible to write logs. >>>>> This JIRA investigated migration to Log4J 2 as a possible path towards >>>> resolving the bug introduced by ZOOKEEPER-1371. At this point, we know >>>> this is not feasible short-term. This JIRA remains open to track long-term >>>> migration to Log4J 2. >>>> >>>> >>>> >>>> -- >>>> This message was sent by Atlassian Jira >>>> (v8.20.1#820001) >>
