> On Nov 1, 2023, at 2:22 PM, Christian Grobmeier <grobme...@apache.org> wrote: > > We should not underestimate the impact log4shell had. Jndi was at the epi > center. Us, providing a giant jar including so much stuff with potential > security holes don’t do us a favor.
This is exactly why in 3.x, the main branch, most of the non-core functionality was removed from the core jar. JNDI support is offloaded into its own dedicated jar, and besides that, you still need to specify a system property to enable it. I still think there’s more that can be done in core to remove other dependencies, but it’s already at the point where it only (or almost only) requires the java.base module (while still bundling some optional things that should be split out). To answer your other question, this makes it its own dependency. I’m not sure if any other modules besides the JMX GUI are being split into their own dedicated git repositories, but 3.x has significantly split up the bloat of optional plugins into their own modules.