Log4j Server receives messages from a Socket Appender. In the past these events 
were serialized using Java Serialization, which was a huge security hole. I 
believe we no longer support that. But the Server has to align its 
serialization scheme with how the appender is sending it. User’s may also 
require authentication or some mechanism to limit access to the service. 
Finally, it is almost certain that the service will need to be modified to take 
whatever actions the user wants on the log events.

For those reasons we kept log4j-server around but aren’t releasing it.  It is 
considered to be a sample for user’s to start from.

Ralph

> On Sep 26, 2023, at 1:49 PM, Christian Grobmeier <grobme...@apache.org> wrote:
> 
> Hi,
> 
> what is the purpose of log4j-server actually?
> I don't find any information about it.
> 
> I wonder, if this has a real use case (Gary uses it) but no releases, should 
> we create a Sandbox/Lab?
> Personally, if this just for example purposes, we maybe should actually move 
> it -samples as suggested below.
> 
> This thread is 8 days old, probably it is safe to move this repo now - we can 
> always -1 a commit if there is still an objection
> 
> Kind regards,
> Christian
> 
> 
> On Mon, Sep 18, 2023, at 10:09, Volkan Yazıcı wrote:
>> Hey Gary,
>> 
>> I'd appreciate your response on this `dev@` thread. I am cleaning up all
>> repositories and trying to either (in order of preference)
>> 
>>   1. delete them (since they are practically empty or irrelevant)
>>   2. archive them (clearly communicate it to the users that nobody is
>>   working on these projects, they are not maintained, etc. the repository is
>>   there only for archival purposes. note the archival is a reversible
>>   operation.)
>>   3. modernize them (make `./mvnw clean verify` work flawlessly on
>>   multiple platforms, erect the CI, updated dependencies, setup `dependabot`,
>>   clean up `pom.xml`s, docs, `README.adoc`, etc.)
>> 
>> From this point of view, we (Ralph, Piotr, and me) are in favor of
>> archiving `logging-log4j-server` and moving the `log4j-server` module to
>> `logging-log4j-samples`, which is completely modernized. Is that okay with
>> you?
>> 
>> 
>> On Thu, Sep 14, 2023 at 8:25 PM Volkan Yazıcı <vol...@yazi.ci> wrote:
>> 
>>> Gary, you haven't replied to this question of mine yet. I'd like to
>>> know more about your use case.
>>> 
>>> I had a call with Ralph and he stated `log4j-server` is not usable
>>> without customizations. Hence, he added, it is better suited to
>>> `log4j-samples`. I liked this idea. Do you have any objections if we
>>> archive the `log4j-server` and move its content to `log4j-samples`
>>> instead?
>>> 
>>> On Wed, Sep 13, 2023 at 3:16 PM Volkan Yazıcı <vol...@yazi.ci> wrote:
>>>> 
>>>> The project doesn't have any releases, how do you use it at work? Note
>>> that once they are retired (i.e., archived) you will still have access to
>>> the sources.
>>>> 
>>>> On Wed, Sep 13, 2023 at 3:06 PM Gary Gregory <garydgreg...@gmail.com>
>>> wrote:
>>>>> 
>>>>> Yes, we use logging-log4j-server at work.
>>>>> 
>>>>> Gary
>>>>> 
>>>>> On Wed, Sep 13, 2023 at 8:15 AM Volkan Yazıcı <vol...@yazi.ci> wrote:
>>>>>> 
>>>>>> I propose retiring `logging-log4j-server`
>>>>>> <https://github.com/apache/logging-log4j-server> and
>>> `logging-log4j-audit`
>>>>>> <https://github.com/apache/logging-log4j-audit> repositories (which
>>> never
>>>>>> had any releases) and making it clear in their READMEs that these
>>>>>> repositories exist only for archival purposes. Objections?
>>> 

Reply via email to