Hi Christian, On Mon, 2 Oct 2023 at 13:13, Christian Grobmeier <c...@grobmeier.de> wrote: > Sandbox, dormant and stable are not hoops but communication about the health > of a component.
I like this idea. I think that the main problem we have been debating on this mailing list since September is how to communicate to the user, which components: 1. are actively maintained (a committer works on them), 2. are well tested (e.g. have a large user group or a 100% test coverage). Modules that fail on both aspects (like `log4j-cassandra`, `log4j-couchdb` or `log4j-jeromq`) should be dropped. There is no disagreement on that. On the other hand there are modules that are actively maintained (or need no maintenance) and are used by one of our employers. In this category we can find `log4j-jdbc*`, `log4j-csv`, `log4j-docker`, `log4j-kubernetes` and `log4j-to-jul`. We should not throw them away, but we need a sign that tells the user: * `log4j-docker` has not been used in a long time. The JSON configuration it retrieves from Docker might not match the expected schema, * `log4j-jdbc` is rarely used (i.e. tested against a very limited number of configurations). If you are not careful, you might have SQL injection, * `log4j-jndi` uses an old unsecure technology. It requires a competent sysadmin to prevent security breaches, * ... > Agreed. Sandbox could be open even for all ASF committers, entry barriers > could be low. Dormant components could go back to sandbox as well, if new > people want to work on it. Can we create a repo open to all Apache committers? If yes, let's create a `logging-sandbox` repo right now. Piotr