Re: [log4j] Checkout from git is broken
We mention the `gitbox` keyword neither in the sources, nor in the docs. There is a GitHub link at the top right corner of every page in the website. `pom.xml`s SCM block points to GitHub. `CONTRIBUTING.md` only hints to GitHub resources – though I agree there is no direct link to the repository there. I think everybody _assumes_ GitHub is the default repository. Maybe we should clearly document this. Regarding the `nonexistent ref` error you get, we have renamed quite some branches[1]. In particular, `master` → `main` and `release-2.x` → `2.x`. I hope this clarifies things for you. [1] https://lists.apache.org/thread/41wds37l4xmfzljgsgvplny811wd1v37 On Thu, Mar 9, 2023 at 11:51 PM Gary D. Gregory wrote: > Hi All: > > My expectation is that: > > C:\Users\ggregory\git\a>git clone > https://gitbox.apache.org/repos/asf/logging-log4j2.git logging-log4j3 > > Would clone and checkout master (or main or whatever the default branch is > called now) but instead, I get an empty folder and this output: > > Cloning into 'logging-log4j3'... > remote: Enumerating objects: 262413, done. > remote: Counting objects: 100% (262413/262413), done. > remote: Compressing objects: 100% (68647/68647), done. > remote: Total 262413 (delta 127358), reused 256238 (delta 122788) > Receiving objects: 100% (262413/262413), 38.27 MiB | 11.31 MiB/s, done. > Resolving deltas: 100% (127358/127358), done. > warning: remote HEAD refers to nonexistent ref, unable to checkout > > This says nothing to help: > https://github.com/apache/logging-log4j2/blob/2.x/BUILDING.md > and nothing jumps out at me on the main page > https://logging.apache.org/log4j/2.x/index.html > > So... what's the magic missing? > > TY! > Gary > >
Re: [log4j] Checkout from git is broken
So the branch renaming broke cloning and checking out code with the most basic git command? At least that's what the side effect seems to me. What's the fix? Or will no one ever be able to say 'git clone' as below and have it just work? Gary On Fri, Mar 10, 2023, 05:18 Volkan Yazıcı wrote: > We mention the `gitbox` keyword neither in the sources, nor in the docs. > > There is a GitHub link at the top right corner of every page in the > website. > > `pom.xml`s SCM block points to GitHub. > > `CONTRIBUTING.md` only hints to GitHub resources – though I agree there is > no direct link to the repository there. > > I think everybody _assumes_ GitHub is the default repository. Maybe we > should clearly document this. > > Regarding the `nonexistent ref` error you get, we have renamed quite some > branches[1]. In particular, `master` → `main` and `release-2.x` → `2.x`. > > I hope this clarifies things for you. > > [1] https://lists.apache.org/thread/41wds37l4xmfzljgsgvplny811wd1v37 > > On Thu, Mar 9, 2023 at 11:51 PM Gary D. Gregory > wrote: > > > Hi All: > > > > My expectation is that: > > > > C:\Users\ggregory\git\a>git clone > > https://gitbox.apache.org/repos/asf/logging-log4j2.git logging-log4j3 > > > > Would clone and checkout master (or main or whatever the default branch > is > > called now) but instead, I get an empty folder and this output: > > > > Cloning into 'logging-log4j3'... > > remote: Enumerating objects: 262413, done. > > remote: Counting objects: 100% (262413/262413), done. > > remote: Compressing objects: 100% (68647/68647), done. > > remote: Total 262413 (delta 127358), reused 256238 (delta 122788) > > Receiving objects: 100% (262413/262413), 38.27 MiB | 11.31 MiB/s, done. > > Resolving deltas: 100% (127358/127358), done. > > warning: remote HEAD refers to nonexistent ref, unable to checkout > > > > This says nothing to help: > > https://github.com/apache/logging-log4j2/blob/2.x/BUILDING.md > > and nothing jumps out at me on the main page > > https://logging.apache.org/log4j/2.x/index.html > > > > So... what's the magic missing? > > > > TY! > > Gary > > > > >
Re: Compiling with JDK 11 or JDK 17
I'm OK with our tooling requiring whatever makes our lives simplest as long we can guarantee that the target byte codes and *API calls* will work on Java 8 for 2.x. Gary On 2023/03/08 19:29:29 Volkan Yazıcı wrote: > I completely support both initiatives: > > 1. Moving the JDK to 17 (why stay at 11?) > 2. Moving `log4j-jmx-gui` to a separate repository > > We have pulled a similar stunt in `log4j-tools`: it uses JDK 11, though > targets 8. We can easily move `log4j-jmx-gui` to a separate repository by > copying the project infra (README, CI, release process, etc.) from > `log4j-tools`. > > On Fri, Mar 3, 2023 at 10:45 PM Piotr P. Karwasz > wrote: > > > Hi, > > > > Compiling 2.x using JDK 8 requires a lot of tricks: > > > > * Surefire scans classes using the main Maven JDK, so we must be sure > > `module-info.class` and other Java 9+ classes are not on the test > > classpath. This basically means we need to delete them before testing > > and creating them afterwards. > > * We need toolchains even if we disable tests, > > * Some Maven or compiler plugins (like Error Prone) either require > > Java 11 or are hard to configure on Java 8. > > > > That is why I would propose to bump the JDK requirement in the POM > > file to JDK 11+ (for `log4j-jpl`) and add `--release 8` everywhere it > > makes sense. > > > > For reproducibility purposes the CI and apache-release profiles would > > still need to fix a JDK (JDK 17?) for compilation and a JRE (JRE 8) > > for testing. But a casual user will be able to run the build process > > without toolchains. > > > > I have a working prototype on this branch: > > > > https://github.com/ppkarwasz/logging-log4j2/tree/java17 > > > > The only problem I wasn't able to solve is to compile `log4j-jmx-gui` > > with JDK 11+: it requires `jconsole.jar` in the classpath, all JDK's > > after 8 have a module for that. I think we could move it to a separate > > repo. > > > > Remark that `log4j-api`, which uses `sun.reflect.Reflection`, compiles > > perfectly with JDK 17 and `--release 8`. > > > > Piotr > > >
Re: [log4j] Checkout from git is broken
If you browse to https://github.com/apache/logging-log4j2 and clone the repository as described there: git clone g...@github.com:apache/logging-log4j2.git This not only works, but also lands you on the right branch: `2.x`. On Fri, Mar 10, 2023 at 12:47 PM Gary Gregory wrote: > So the branch renaming broke cloning and checking out code with the most > basic git command? At least that's what the side effect seems to me. What's > the fix? Or will no one ever be able to say 'git clone' as below and have > it just work? > > Gary > > On Fri, Mar 10, 2023, 05:18 Volkan Yazıcı wrote: > > > We mention the `gitbox` keyword neither in the sources, nor in the docs. > > > > There is a GitHub link at the top right corner of every page in the > > website. > > > > `pom.xml`s SCM block points to GitHub. > > > > `CONTRIBUTING.md` only hints to GitHub resources – though I agree there > is > > no direct link to the repository there. > > > > I think everybody _assumes_ GitHub is the default repository. Maybe we > > should clearly document this. > > > > Regarding the `nonexistent ref` error you get, we have renamed quite some > > branches[1]. In particular, `master` → `main` and `release-2.x` → `2.x`. > > > > I hope this clarifies things for you. > > > > [1] https://lists.apache.org/thread/41wds37l4xmfzljgsgvplny811wd1v37 > > > > On Thu, Mar 9, 2023 at 11:51 PM Gary D. Gregory > > wrote: > > > > > Hi All: > > > > > > My expectation is that: > > > > > > C:\Users\ggregory\git\a>git clone > > > https://gitbox.apache.org/repos/asf/logging-log4j2.git logging-log4j3 > > > > > > Would clone and checkout master (or main or whatever the default branch > > is > > > called now) but instead, I get an empty folder and this output: > > > > > > Cloning into 'logging-log4j3'... > > > remote: Enumerating objects: 262413, done. > > > remote: Counting objects: 100% (262413/262413), done. > > > remote: Compressing objects: 100% (68647/68647), done. > > > remote: Total 262413 (delta 127358), reused 256238 (delta 122788) > > > Receiving objects: 100% (262413/262413), 38.27 MiB | 11.31 MiB/s, done. > > > Resolving deltas: 100% (127358/127358), done. > > > warning: remote HEAD refers to nonexistent ref, unable to checkout > > > > > > This says nothing to help: > > > https://github.com/apache/logging-log4j2/blob/2.x/BUILDING.md > > > and nothing jumps out at me on the main page > > > https://logging.apache.org/log4j/2.x/index.html > > > > > > So... what's the magic missing? > > > > > > TY! > > > Gary > > > > > > > > >
[log4j] 2.x changelog
Hi All: Where are the steps I can follow to add an entry to the changelog (in this case for 2.20.1)? TY! Gary
Re: [log4j] Checkout from git is broken
On 2023/03/10 12:42:00 Volkan Yazıcı wrote: > If you browse to https://github.com/apache/logging-log4j2 and clone the > repository as described there: > > git clone g...@github.com:apache/logging-log4j2.git > > This not only works, but also lands you on the right branch: `2.x`. Pardon me for being dense but I've lost my patience, I'm trying to do many things today and getting nowhere with Log4j: ``` C:\tmp>git clone g...@github.com:apache/logging-log4j2.git foo Cloning into 'foo'... The authenticity of host 'github.com (140.82.112.4)' can't be established. ED25519 key fingerprint is SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'github.com' (ED25519) to the list of known hosts. g...@github.com: Permission denied (publickey). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. ``` Did you mean for "g...@github.com" to stand in for something else? "> If you browse to https://github.com/apache/logging-log4j2 and clone the > repository as described there:" As described there? The word "clone" does not even appear on that page. What am I missing? The GH UI in the "Code" drop-down says: https://github.com/apache/logging-log4j2.git So frustrated, Gary > > On Fri, Mar 10, 2023 at 12:47 PM Gary Gregory > wrote: > > > So the branch renaming broke cloning and checking out code with the most > > basic git command? At least that's what the side effect seems to me. What's > > the fix? Or will no one ever be able to say 'git clone' as below and have > > it just work? > > > > Gary > > > > On Fri, Mar 10, 2023, 05:18 Volkan Yazıcı wrote: > > > > > We mention the `gitbox` keyword neither in the sources, nor in the docs. > > > > > > There is a GitHub link at the top right corner of every page in the > > > website. > > > > > > `pom.xml`s SCM block points to GitHub. > > > > > > `CONTRIBUTING.md` only hints to GitHub resources – though I agree there > > is > > > no direct link to the repository there. > > > > > > I think everybody _assumes_ GitHub is the default repository. Maybe we > > > should clearly document this. > > > > > > Regarding the `nonexistent ref` error you get, we have renamed quite some > > > branches[1]. In particular, `master` → `main` and `release-2.x` → `2.x`. > > > > > > I hope this clarifies things for you. > > > > > > [1] https://lists.apache.org/thread/41wds37l4xmfzljgsgvplny811wd1v37 > > > > > > On Thu, Mar 9, 2023 at 11:51 PM Gary D. Gregory > > > wrote: > > > > > > > Hi All: > > > > > > > > My expectation is that: > > > > > > > > C:\Users\ggregory\git\a>git clone > > > > https://gitbox.apache.org/repos/asf/logging-log4j2.git logging-log4j3 > > > > > > > > Would clone and checkout master (or main or whatever the default branch > > > is > > > > called now) but instead, I get an empty folder and this output: > > > > > > > > Cloning into 'logging-log4j3'... > > > > remote: Enumerating objects: 262413, done. > > > > remote: Counting objects: 100% (262413/262413), done. > > > > remote: Compressing objects: 100% (68647/68647), done. > > > > remote: Total 262413 (delta 127358), reused 256238 (delta 122788) > > > > Receiving objects: 100% (262413/262413), 38.27 MiB | 11.31 MiB/s, done. > > > > Resolving deltas: 100% (127358/127358), done. > > > > warning: remote HEAD refers to nonexistent ref, unable to checkout > > > > > > > > This says nothing to help: > > > > https://github.com/apache/logging-log4j2/blob/2.x/BUILDING.md > > > > and nothing jumps out at me on the main page > > > > https://logging.apache.org/log4j/2.x/index.html > > > > > > > > So... what's the magic missing? > > > > > > > > TY! > > > > Gary > > > > > > > > > > > > > >
CVE-2023-26464: Apache Log4j 1.x (EOL) allows DoS in Chainsaw and SocketAppender
Severity: low Description: ** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Credit: Garrett Tucker of Red Hat (reporter) References: https://logging.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-26464
Re: [log4j] 2.x changelog
In `/CHANGELOG.adoc`. There is nothing special about it. Create a `/src/changelog/.2.x.x/-.xml` file, you can use the existing ones for inspiration, that is it. On Fri, Mar 10, 2023 at 1:51 PM Gary D. Gregory wrote: > Hi All: > > Where are the steps I can follow to add an entry to the changelog (in this > case for 2.20.1)? > > TY! > Gary >
Re: [log4j] Checkout from git is broken
Hi Gary, On Fri, 10 Mar 2023 at 12:47, Gary Gregory wrote: > So the branch renaming broke cloning and checking out code with the most > basic git command? At least that's what the side effect seems to me. What's > the fix? Or will no one ever be able to say 'git clone' as below and have > it just work? I think we must open an INFRA ticket. HEAD on Github points to `2.x`, whereas the HEAD on Gitbox points to the non-existent `release-2.x`. They should be synchronized, but apparently are not. Piotr
Re: [log4j] 2.x changelog
Thank you Volkan :-) Gary On Fri, Mar 10, 2023, 08:53 Volkan Yazıcı wrote: > In `/CHANGELOG.adoc`. There is nothing special about it. Create a > `/src/changelog/.2.x.x/-.xml` file, you can use the > existing ones for inspiration, that is it. > > On Fri, Mar 10, 2023 at 1:51 PM Gary D. Gregory > wrote: > > > Hi All: > > > > Where are the steps I can follow to add an entry to the changelog (in > this > > case for 2.20.1)? > > > > TY! > > Gary > > >
