> On Nov 1, 2023, at 2:22 PM, Christian Grobmeier <grobme...@apache.org> wrote:
> 
> We should not underestimate the impact log4shell had. Jndi was at the epi 
> center. Us, providing a giant jar including so much stuff with potential 
> security holes don’t do us a favor.

This is exactly why in 3.x, the main branch, most of the non-core functionality 
was removed from the core jar. JNDI support is offloaded into its own dedicated 
jar, and besides that, you still need to specify a system property to enable 
it. I still think there’s more that can be done in core to remove other 
dependencies, but it’s already at the point where it only (or almost only) 
requires the java.base module (while still bundling some optional things that 
should be split out).

To answer your other question, this makes it its own dependency. I’m not sure 
if any other modules besides the JMX GUI are being split into their own 
dedicated git repositories, but 3.x has significantly split up the bloat of 
optional plugins into their own modules.

Reply via email to