Re: [VOTE] Release Apache Log4j `2.24.0`

[Gary Gregory]

On Sun, Sep 1, 2024 at 6:01 PM Piotr P. Karwasz  wrote:
>
> Hi Gary,
>
> On Sun, 1 Sept 2024 at 23:34, Gary Gregory  wrote:
> > Now I get:
> >
> > [INFO] Results:
> > [INFO]
> > [ERROR] Failures:
> > [ERROR]   NetUtilsTest.testCanonicalHostName:78
> > Expecting actual:
> >   "localhost"
> > to contain:
> >   "."
> > [INFO]
> > [ERROR] Tests run: 2253, Failures: 1, Errors: 0, Skipped: 31
> > [INFO]
> >
> > ?
>
> Oops, that might happen on some hosts, if they don't have a fully
> qualified domain name. Is `hostname --fqdn` also returning `localhost`
> on your machine.
>
> In the future I will disable the test on such a host (cf. [1]).

Ah... good one! I'll try again with:
sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO
-Dtest='!NetUtilsTest#testCanonicalHostName'
-Dsurefire.failIfNoSpecifiedTests=false
...

TY!
Gary
>
> Piotr
>
> [1] 
> https://github.com/apache/logging-log4j2/commit/84ca9bd246b83e5c93d59c92acbd180022e0747f

Re: [VOTE] Release Apache Log4j `2.24.0`

[Gary Gregory]

Hi All,

Thank you Piotr for preparing the RC.

Using the review kit, this is what I get on the step 'sh mvnw
-Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO'

[INFO] --- artifact:3.5.1:compare (default-cli) @ log4j-bom ---
[WARNING]  property is inherited, it
should be defined in pom.xml
Downloading from reference:
https://repository.apache.org/content/repositories/orgapachelogging-1293/org/apache/logging/log4j/log4j-bom/2.24.0/log4j-bom-2.24.0.buildinfo
[INFO] Reference buildinfo file not found: it will be generated from
downloaded reference artifacts
Downloading from reference:
https://repository.apache.org/content/repositories/orgapachelogging-1293/org/apache/logging/log4j/log4j-bom/2.24.0/log4j-bom-2.24.0.pom
Downloaded from reference:
https://repository.apache.org/content/repositories/orgapachelogging-1293/org/apache/logging/log4j/log4j-bom/2.24.0/log4j-bom-2.24.0.pom
(12 kB at 79 kB/s)
Downloading from reference:
https://repository.apache.org/content/repositories/orgapachelogging-1293/org/apache/logging/log4j/log4j-bom/2.24.0/log4j-bom-2.24.0-cyclonedx.xml
Downloaded from reference:
https://repository.apache.org/content/repositories/orgapachelogging-1293/org/apache/logging/log4j/log4j-bom/2.24.0/log4j-bom-2.24.0-cyclonedx.xml
(413 kB at 595 kB/s)
[INFO] Minimal buildinfo generated from downloaded artifacts:
/Users/garydgregory/rc/2.24.0/src/target/reference/log4j-bom-2.24.0.buildinfo
[ERROR] sha512 mismatch log4j-bom-2.24.0-cyclonedx.xml: investigate
with diffoscope
target/reference/org.apache.logging.log4j/log4j-bom-2.24.0-cyclonedx.xml
target/bom.xml
[ERROR] Reproducible Build output summary: 1 files ok, 1 different
[ERROR] see diff target/reference/log4j-bom-2.24.0.buildinfo
target/log4j-bom-2.24.0.buildinfo
[ERROR] see also
https://maven.apache.org/guides/mini/guide-reproducible-builds.html
[INFO] Reproducible Build output comparison saved to
/Users/garydgregory/rc/2.24.0/src/target/log4j-bom-2.24.0.buildcompare
[INFO] Aggregate buildcompare copied to
/Users/garydgregory/rc/2.24.0/src/target/log4j-bom-2.24.0.buildcompare
[INFO] 
[INFO] Reactor Summary for Apache Log4j BOM 2.24.0:
[INFO]
[INFO] Apache Log4j BOM ... FAILURE [ 33.856 s]

diff target/reference/log4j-bom-2.24.0.buildinfo
target/log4j-bom-2.24.0.buildinfo

says:

0a1,2
> # https://reproducible-builds.org/docs/jvm/
> buildinfo.version=1.0-SNAPSHOT
1a4,25
> name=Apache Log4j BOM
> group-id=org.apache.logging.log4j
> artifact-id=log4j-bom
> version=2.24.0
>
> # source information
> source.scm.uri=scm:git:https://github.com/apache/logging-log4j2.git
> source.scm.tag=2.x
>
> # build instructions
> build-tool=mvn
>
> # effective build environment information
> java.version=17.0.12
> java.vendor=Homebrew
> os.name=Mac OS X
>
> # Maven rebuild instructions and effective environment
> mvn.version=3.9.8
>
> # output
>
10c34
< 
outputs.1.checksums.sha512=157eb3ac9f87370a2c56afb4317433fd4733c5001e949df1278d9101fca57860f3a07c5f1665d612abc2e823d8b7c2b102dd2f779d4273b6ae177b87bd3d2760
---
> outputs.1.checksums.sha512=18b3831b831916588364e52b3f399d900c00a09d0e59cf9204c3ed5fa970428732e93cd8b417f7de725b7a57c417ddbeb6abb312e857250bb43d941e6214

I am using:

openjdk version "17.0.12" 2024-07-16
OpenJDK Runtime Environment Homebrew (build 17.0.12+0)
OpenJDK 64-Bit Server VM Homebrew (build 17.0.12+0, mixed mode, sharing)

Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937)
Maven home: /usr/local/Cellar/maven/3.9.9/libexec
Java version: 17.0.12, vendor: Homebrew, runtime:
/usr/local/Cellar/openjdk@17/17.0.12/libexec/openjdk.jdk/Contents/Home
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "14.6.1", arch: "x86_64", family: "mac"

Darwin  23.6.0 Darwin Kernel Version 23.6.0: Mon Jul 29 21:13:00
PDT 2024; root:xnu-10063.141.2~1/RELEASE_X86_64 x86_64

Gary

On Sat, Aug 31, 2024 at 3:31 PM Piotr P. Karwasz
 wrote:
>
> This is a vote to release the Apache Log4j `2.24.0`.
>
> Website: https://logging.staged.apache.org/log4j/2.24.0/index.html
> GitHub: https://github.com/apache/logging-log4j2
> Commit: 08053687456f6be61ee8206da782a3d051928a57
> Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j
> Nexus: 
> https://repository.apache.org/content/repositories/orgapachelogging-1293
> Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0
>
> Please download, test, and cast your votes on this mailing list.
>
> [ ] +1, release the artifacts
> [ ] -1, don't release, because...
>
> This vote is open for 72 hours and will pass unless getting a
> net negative vote count. All votes are welcome and we encourage
> everyone to test the release, but only the Logging Services PMC
> votes are officially counted. At least 3 +1 votes and more
> positive than negative votes are required.
>
> == Review kit
>
> The minimum set of steps needed to review the uploaded distribution
> files in the Subversion r

Re: [VOTE] Release Apache Log4j `2.24.0`

[Piotr P. Karwasz]

Hi Gary,

On Sun, 1 Sept 2024 at 23:00, Piotr P. Karwasz  wrote:
> On Sun, 1 Sept 2024 at 22:44, Gary Gregory  wrote:
> > [ERROR] sha512 mismatch log4j-bom-2.24.0-cyclonedx.xml: investigate
> > with diffoscope
> > target/reference/org.apache.logging.log4j/log4j-bom-2.24.0-cyclonedx.xml
> > target/bom.xml
>
> Could you investigate with `diff
> target/reference/org.apache.logging.log4j/log4j-bom-2.24.0-cyclonedx.xml
> target/bom.xml`?

Since you are the main Release Manager of Apache Commons, try clearing
the local Maven cache (e.g. `~/.m2/repository/org/apache/commons`). It
is possible you have some unofficial Commons releases in your cache,
which breaks the reproducibility of the SBOM.

Piotr

Re: [VOTE] Release Apache Log4j `2.24.0`

[Piotr P. Karwasz]

Hi Gary,

On Sun, 1 Sept 2024 at 22:44, Gary Gregory  wrote:
> [ERROR] sha512 mismatch log4j-bom-2.24.0-cyclonedx.xml: investigate
> with diffoscope
> target/reference/org.apache.logging.log4j/log4j-bom-2.24.0-cyclonedx.xml
> target/bom.xml

Could you investigate with `diff
target/reference/org.apache.logging.log4j/log4j-bom-2.24.0-cyclonedx.xml
target/bom.xml`?

Piotr

Re: [VOTE] Release Apache Log4j `2.24.0`

[Piotr P. Karwasz]

Hi Gary,

On Sun, 1 Sept 2024 at 23:34, Gary Gregory  wrote:
> Now I get:
>
> [INFO] Results:
> [INFO]
> [ERROR] Failures:
> [ERROR]   NetUtilsTest.testCanonicalHostName:78
> Expecting actual:
>   "localhost"
> to contain:
>   "."
> [INFO]
> [ERROR] Tests run: 2253, Failures: 1, Errors: 0, Skipped: 31
> [INFO]
>
> ?

Oops, that might happen on some hosts, if they don't have a fully
qualified domain name. Is `hostname --fqdn` also returning `localhost`
on your machine.

In the future I will disable the test on such a host (cf. [1]).

Piotr

[1] 
https://github.com/apache/logging-log4j2/commit/84ca9bd246b83e5c93d59c92acbd180022e0747f

Re: [VOTE] Release Apache Log4j `2.24.0`

[Gary Gregory]

Here's new one:

[INFO] ---
[INFO]  T E S T S
[INFO] ---
[INFO]
[INFO] Results:
[INFO]
[INFO] Tests run: 0, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO] 
[INFO] Reactor Summary for Apache Log4j BOM 2.24.0:
[INFO]
[INFO] Apache Log4j BOM ... SUCCESS [ 20.229 s]
[INFO] Apache Log4j Parent  SUCCESS [  0.697 s]
[INFO] Apache Log4j API Java 9 support  SUCCESS [  8.392 s]
[INFO] Apache Log4j API ... SUCCESS [ 19.908 s]
[INFO] Apache Log4j Implementation Java 9 support . SUCCESS [  7.685 s]
[INFO] Apache Log4j Core .. SUCCESS [01:29 min]
[INFO] Apache Log4j API Tests . FAILURE [ 14.561 s]
[INFO] Apache Log4j Core Tests  SKIPPED
[INFO] Apache Log4j 1.x Compatibility API . SKIPPED
[INFO] Apache Log4j App Server Support  SKIPPED
[INFO] Log4j API to SLF4J Adapter . SKIPPED
[INFO] SLF4J 1 Binding for Log4j API .. SKIPPED
[INFO] Apache Log4j Cassandra . SKIPPED
[INFO] Apache Log4j Core Integration Tests  SKIPPED
[INFO] Apache Log4j CouchDB ... SKIPPED
[INFO] Apache Log4j Docker Library  SKIPPED
[INFO] Apache Log4j Streaming Interface ... SKIPPED
[INFO] Apache Log4j Jakarta SMTP .. SKIPPED
[INFO] Apache Log4j Jakarta Web ... SKIPPED
[INFO] Apache Log4j Commons Logging Bridge  SKIPPED
[INFO] Apache Log4j JPA ... SKIPPED
[INFO] Apache Log4j JDK Platform Logging Adapter .. SKIPPED
[INFO] Apache Log4j JDBC DBCP 2 ... SKIPPED
[INFO] Apache Log4j JUL Adapter ... SKIPPED
[INFO] Apache Log4j JSON Template Layout .. SKIPPED
[INFO] Apache Log4j JSON Template Layout tests  SKIPPED
[INFO] Apache Log4j MongoDB 4 . SKIPPED
[INFO] Apache Log4j MongoDB Appender .. SKIPPED
[INFO] Apache Log4j to JUL Bridge . SKIPPED
[INFO] Apache Log4j OSGi tests  SKIPPED
[INFO] Apache Log4J Performance Tests . SKIPPED
[INFO] SLF4J 2 Provider for Log4j API . SKIPPED
[INFO] Apache Log4j Spring Boot Support ... SKIPPED
[INFO] Apache Log4j Spring Cloud Config Client Support  SKIPPED
[INFO] Apache Log4j Web ... SKIPPED
[INFO] Apache Log4j Tag Library ... SKIPPED
[INFO] 
[INFO] BUILD FAILURE
[INFO] 
[INFO] Total time:  02:42 min
[INFO] Finished at: 2024-09-01T19:32:39-04:00
[INFO] 
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-surefire-plugin:3.5.0:test
(default-test) on project log4j-api-test: Execution default-test of
goal org.apache.maven.plugins:maven-surefire-plugin:3.5.0:test failed:
java.lang.ClassFormatError: Truncated class file -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to
execute goal org.apache.maven.plugins:maven-surefire-plugin:3.5.0:test
(default-test) on project log4j-api-test: Execution default-test of
goal org.apache.maven.plugins:maven-surefire-plugin:3.5.0:test failed:
java.lang.ClassFormatError: Truncated class file
at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2
(MojoExecutor.java:333)
at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute
(MojoExecutor.java:316)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute
(MojoExecutor.java:212)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute
(MojoExecutor.java:174)
at org.apache.maven.lifecycle.internal.MojoExecutor.access$000
(MojoExecutor.java:75)
at org.apache.maven.lifecycle.internal.MojoExecutor$1.run
(MojoExecutor.java:162)
at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute
(DefaultMojosExecutionStrategy.java:39)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute
(MojoExecutor.java:159)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
(LifecycleModuleBuilder.java:105)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
(LifecycleModuleBuilder.java:73)
at 
org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build
(SingleThreadedBuilder.java:53)
at org.apache.maven.lifecycle.interna

Re: [Discuss][VOTE] Release Apache Log4j `2.24.0`

[Piotr P. Karwasz]

Hi Ralph,

On Sat, 31 Aug 2024 at 22:56, Ralph Goers  wrote:
> I looked at the download page and it does NOT meet the requirements for a 
> release announcement:
> ...
> Note that the web site is NOT officially part of the release so I am NOT 
> going to vote -1 due to any web site issues. Just be aware you are likely to 
> have problems announcing the release.

On Sat, 31 Aug 2024 at 23:00, Ralph Goers  wrote:
> "log4j-flume-ngT
> The module has been moved to the Flume project and follows the Apache 
> Flume release lifecycle.
>
> We NEVER discussed this. We simply discussed moving it to another repo. As in 
> 3.0.0, where more modules are split out, I believe it would be more 
> appropriate to say that they will have their own release cycles.

On Sat, 31 Aug 2024 at 23:06, Ralph Goers  wrote:
> The API section has
>
> Thread Context is mostly superseded by Scoped Context, which, unlike Thread 
> Context,
> • is safe to use in servlet applications
> • can store any Object-typed value

Thanks for pointing that out. I'll fix the website before sending any
announcement. A patch is already available in [1], if you want to
review it.

As you remarked above, the web site is not part of the release, so I
see no reason to cancel the RC1 vote.

Piotr

[1] https://github.com/apache/logging-log4j2/pull/2912

Re: [VOTE] Release Apache Log4j `2.24.0`

[Volkan Yazıcı]

+1

Verification steps pass locally.

Website-related issues are not a release blocker and can easily be fixed
thanks to our new website auto-deployment infrastructure
. As a matter
of fact, I see Piotr already has the website corrections (#2912)
 ready. Once `2.24.0`
is released, we just need to cherry-pick his PR from `2.x` to
[to-be-created-during-release] `2.x-site-pro`, and voila.

More importantly... I want to take this opportunity to thank Piotr and
Christian. 🙇 We have spent ~4 months rewriting *the entire website*
(including its technical infrastructure!) and I think the result is a big
success. 🚀 I can brag about this a lot, but I will let our users be the
judge of that.

On Sat, Aug 31, 2024 at 9:31 PM Piotr P. Karwasz 
wrote:

> This is a vote to release the Apache Log4j `2.24.0`.
>
> Website: https://logging.staged.apache.org/log4j/2.24.0/index.html
> GitHub: https://github.com/apache/logging-log4j2
> Commit: 08053687456f6be61ee8206da782a3d051928a57
> Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j
> Nexus:
> https://repository.apache.org/content/repositories/orgapachelogging-1293
> Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0
>
> Please download, test, and cast your votes on this mailing list.
>
> [ ] +1, release the artifacts
> [ ] -1, don't release, because...
>
> This vote is open for 72 hours and will pass unless getting a
> net negative vote count. All votes are welcome and we encourage
> everyone to test the release, but only the Logging Services PMC
> votes are officially counted. At least 3 +1 votes and more
> positive than negative votes are required.
>
> == Review kit
>
> The minimum set of steps needed to review the uploaded distribution
> files in the Subversion repository can be summarized as follows:
>
> # Check out the distribution
> svn co https://dist.apache.org/repos/dist/dev/logging/log4j/2.24.0 &&
> cd $_
>
> # Verify checksums
> shasum --check *.sha512
>
> # Verify signatures
> wget -O - https://downloads.apache.org/logging/KEYS | gpg --import
> for sigFile in *.asc; do gpg --verify $sigFile; done
>
> # Verify reproduciblity
> umask 0022
> unzip *-src.zip -d src
> cd src
> export NEXUS_REPO=
> https://repository.apache.org/content/repositories/orgapachelogging-1293
> sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO
> # If preferred, augment `mvnw` with `-DskipTests` to speed things up
>
> == Release Notes
>
> This release contains improvements and changes in several areas of Apache
> Log4j:
>
> === Log4j API
>
> The `2.24.0` version of Log4j API has been enhanced with changes from
> the 3.x branch and will be used by both Log4j 2 Core and Log4j 3 Core
> releases.
> The changes include:
>
> * A faster default `ThreadContextMap`.
> * Enhanced GraalVM support: native binaries that use Log4j API will no
> longer require additional GraalVM configuration.
> * The configuration properties subsystem now only accepts the official
> pre-2.10 property names and the normalized post-2.10 names.
> Check your configuration for typos.
>
> === Documentation
>
> The Apache Log4j 2 website has been almost entirely rewritten to
> provide improved documentation and faster access to the information
> you need.
>
> [1] https://logging.staged.apache.org/log4j/2.24.0/index.html
>
> === Bridges
>
> The JUL-to-Log4j API and Log4j 1-to-Log4j API will no longer be able
> to modify the configuration of Log4j Core by default.
> If such a functionality is required, it must be explicitly enabled.
>
> === Modules
>
> The following Log4j Core additional modules have been removed:
>
> `log4j-flume-ng`::
> The module has been moved to the Flume project and follows the Apache
> Flume release lifecycle.
>
> `log4j-kubernetes`::
> The module has been moved to the
>
> https://github.com/fabric8io/kubernetes-client/blob/main/doc/KubernetesLog4j.md[Fabric8.io
> Kubernetes project] and follows the Fabric8.io release lifecycle.
>
> `log4j-mongodb3`::
> The module based on MongoDB Java client version 3.x has been removed.
> Please migrate to `log4j-mongodb` (client version 5.x) or
> `log4j-mongodb4` (client version 4.x).
>
> === JMX changes
>
> Starting in version 2.24.0, JMX support is disabled by default and can
> be re-enabled via the `log4j2.disableJmx=false` system property.
>
> === Added
>
> * Add a faster `DefaultThreadContextMap` implementation. (#2330)
> * Add Logback throwable-consuming semantics as an option in
> `log4j-slf4j-impl` and `log4j-slf4j2-impl`. Users can enable it by
> setting the property `log4j2.messageFactory` to
> `org.apache.logging.slf4j.message.ThrowableConsumingMessageFactory`.
> (#2363)
> * Add trace context fields to `GcpLayout.json` (#2498)
> * Add _"Plugin Reference"_ to the website. It is a Javadoc-on-steroids
> focusing on Log4j plugins. (#1954)
> * Automate webs

Re: [VOTE] Release Apache Log4j `2.24.0`

[Gary Gregory]

On Sun, Sep 1, 2024 at 5:09 PM Piotr P. Karwasz  wrote:
>
> Hi Gary,
>
> On Sun, 1 Sept 2024 at 23:00, Piotr P. Karwasz  
> wrote:
> > On Sun, 1 Sept 2024 at 22:44, Gary Gregory  wrote:
> > > [ERROR] sha512 mismatch log4j-bom-2.24.0-cyclonedx.xml: investigate
> > > with diffoscope
> > > target/reference/org.apache.logging.log4j/log4j-bom-2.24.0-cyclonedx.xml
> > > target/bom.xml
> >
> > Could you investigate with `diff
> > target/reference/org.apache.logging.log4j/log4j-bom-2.24.0-cyclonedx.xml
> > target/bom.xml`?
>
> Since you are the main Release Manager of Apache Commons, try clearing
> the local Maven cache (e.g. `~/.m2/repository/org/apache/commons`). It
> is possible you have some unofficial Commons releases in your cache,
> which breaks the reproducibility of the SBOM.

Yep, that helped! TY Piotr.

rm -rf ~/.m2/repository/org/apache/commons
sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO

Now I get:

[INFO] Results:
[INFO]
[ERROR] Failures:
[ERROR]   NetUtilsTest.testCanonicalHostName:78
Expecting actual:
  "localhost"
to contain:
  "."
[INFO]
[ERROR] Tests run: 2253, Failures: 1, Errors: 0, Skipped: 31
[INFO]

?

Gary

>
> Piotr