Re: Archiving Chainsaw and Flume GitHub repositories

[Volkan Yazıcı]

Hey Ralph! In the last 6 months, I haven't noticed any progress regarding
these projects. Though you might have changes ready locally, or I might
have missed your activity. Would you mind updating us on your progress and
plans, please?

On Wed, Jan 15, 2025 at 2:21 PM Ralph Goers 
wrote:

> -1 on Flume
>
> Despite you not seeing visible evidence I am still working on these. I am
> actually fairly confident I will need to create releases of Flume in the
> next 6 months.
>
> Ralph
>
> > On Jan 15, 2025, at 2:05 AM, Volkan Yazıcı  wrote:
> >
> > Chainsaw and Flume projects have been moved to dormant state with PMC
> > consensus. Yet their GitHub repositories (i.e., `logging-chainsaw` and
> > `logging-flume*`) don't reflect this and they  weekly get flagged by
> GitHub
> > due to vulnerable dependencies. This is also confusing for users, since
> the
> > list of Logging Services dormant projects
> >  and the GitHub repository
> > statuses don't match.
> >
> > *I suggest archiving¹ `logging-chainsaw` and `logging-flume*` GitHub
> > repositories. Objections?*
> >
> > ¹ When a GitHub project gets archived, it becomes read-only. This is a
> > reversible operation; we can anytime unarchive these projects if PMC
> > decides to start maintaining them again.
>
>

Re: [VOTE] Release Apache Log4j `2.25.0` (RC1)

[Volkan Yazıcı]

+1

✅ Signatures
✅ Checksums
✅ Build

*Build command:*

./mvnw verify \
-Prelease \
-Dbuildinfo.ignore="*/log4j-bom-2.25.0-cyclonedx.xml" \
artifact:compare \
-Dreference.repo=
https://repository.apache.org:443/content/repositories/orgapachelogging-1319

*Build environment:*

$ lsb_release -a
Ubuntu 24.04.2 LTS

$ java -version
openjdk version "17.0.15" 2025-04-15
OpenJDK Runtime Environment (build 17.0.15+6-Ubuntu-0ubuntu124.04)
OpenJDK 64-Bit Server VM (build 17.0.15+6-Ubuntu-0ubuntu124.04, mixed mode,
sharing)

On Fri, Jun 13, 2025 at 9:01 PM Piotr P. Karwasz 
wrote:

> This is a vote to release the Apache Log4j `2.25.0`.
>
> Website: https://logging.staged.apache.org/log4j/2.25.0/index.html
> GitHub: https://github.com/apache/logging-log4j2
> Commit: ea10ad3e78469e43f138853b8c9892bc51bc87ec
> Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j/2.25.0
> Nexus:
>
> https://repository.apache.org:443/content/repositories/orgapachelogging-1319
> Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0
> Review kit:
>
> https://logging.apache.org/logging-parent/release-review-instructions.html[*]
>
> Please download, test, and cast your votes on this mailing list and
> optionally on ATR[**].
>
> [ ] +1, release the artifacts
> [ ] -1, don't release, because...
>
> This vote is open for 72 hours and will pass unless getting a net
> negative vote count. All votes are welcome and we encourage everyone to
> test the release, but only the Logging Services PMC votes are officially
> counted. At least 3 +1 votes and more positive than negative votes are
> required.
>
> [*] The reproducibility check for the
> `log4j-bom-2.25.0-cyclonedx.xml` artifact may fail for an
> undetermined reason. Local testing indicates that any differences are
> limited to the ordering of the `jspecify` dependency in the XML file,
> which does not affect the meaning of the SBOM.
>
> Reviewers are advised to ignore this failure by adding the following
> parameter to the Maven command line:
>
>   -Dbuildinfo.ignore="*/log4j-bom-2.25.0-cyclonedx.xml"
>
> [**] Since Apache Trusted Release is in an alpha stage, votes cast
> through ATR will not be officially counted. Nevertheless I invite Apache
> committers to test it at this URL:
>
> https://release-test.apache.org/vote/logging-log4j/2.25.0
>
>
> Release Notes
> -
>
> This minor release introduces bug fixes, behavior improvements, and
> complete support for GraalVM native image generation.
>
> GraalVM Reachability Metadata
> -
>
> Log4j Core and all extension modules now include embedded GraalVM
> reachability metadata [1], enabling seamless generation of native
> images with GraalVM out of the box—no manual configuration required.
> For more information, refer to our GraalVM guide [2].
>
> Note:
>
> When building third-party Log4j plugins, using the new
> `GraalVmProcessor` introduced in version `2.25.0` will automatically
> generate the required reachability metadata for GraalVM native images.
> However, the processor will fail the build if the required
> `log4j.graalvm.groupId` and `log4j.graalvm.artifactId` parameters are
> not provided. For detailed instructions, see Registering plugins [3].
>
> Exception Handling in Pattern Layout
> 
>
> Exception handling in Pattern Layout [4] has undergone a significant
> rewrite. This update resolves several bugs and ensures consistent
> behavior across all exception converters. Key improvements include:
>
> * Stack traces are now consistently prefixed with a newline.
> * The default exception converter has changed from extended [5] to
>   plain [6], offering better performance.
> * Support for the `{ansi}` option in exception converters has been
>   removed.
>
> Date & Time Formatting
> --
>
> Log4j has historically provided custom date and time formatters for
> performance, such as FixedDateFormat [7] and FastDateFormat [8]. These
> are now deprecated in favor of Java’s standard DateTimeFormatter [9].
>
> If you encounter formatting issues after upgrading—particularly with `n`
> or `x` directives—you can temporarily revert to the legacy formatters by
> setting the `log4j2.instantFormatter` property to `legacy` [10]. Please
> report any issues via our issue tracker [11].
>
> ANSI Support on Windows
> 
>
> Modern Windows versions (10 and newer) provide native ANSI escape
> sequence support. As a result, dependency on the outdated JAnsi 1.x
> library has been removed. For details, refer to ANSI styling on Windows
> [12].
>
> Jakarta JMS Appender
> -
>
> A Jakarta-compatible version of the JMS Appender [13] is now included in
> the core distribution.
>
> Detailed release notes
> ---
>
> For all the changes in this release, see the website [14].
>
> Links:
> [1] https://www.graalvm.org/latest/reference-manual/native-image/metadata/
> [2] https://loggi

[ANNOUNCE] Apache Log4j `2.25.0` released

[Piotr P. Karwasz]

The Apache Log4j team is pleased to announce the `2.25.0`
release. Apache Log4j is a versatile, industrial-strength
Java logging framework composed of an API, its implementation,
and components to assist the deployment for various use cases.
For further information (support, download, etc.) see the project
website:

   https://logging.apache.org/log4j/2.x/index.html

Download page: https://logging.apache.org/log4j/2.x/download.html

Release Notes
-

This minor release introduces bug fixes, behavior improvements, and
complete support for GraalVM native image generation.

GraalVM Reachability Metadata
-

Log4j Core and all extension modules now include embedded GraalVM
reachability metadata [1], enabling seamless generation of native
images with GraalVM out of the box—no manual configuration required.
For more information, refer to our GraalVM guide [2].

Note:

When building third-party Log4j plugins, using the new
`GraalVmProcessor` introduced in version `2.25.0` will automatically
generate the required reachability metadata for GraalVM native images.
However, the processor will fail the build if the required
`log4j.graalvm.groupId` and `log4j.graalvm.artifactId` parameters are
not provided. For detailed instructions, see Registering plugins [3].

Exception Handling in Pattern Layout


Exception handling in Pattern Layout [4] has undergone a significant
rewrite. This update resolves several bugs and ensures consistent
behavior across all exception converters. Key improvements include:

* Stack traces are now consistently prefixed with a newline.
* The default exception converter has changed from extended [5] to
  plain [6], offering better performance.
* Support for the `{ansi}` option in exception converters has been
  removed.

Date & Time Formatting
--

Log4j has historically provided custom date and time formatters for
performance, such as FixedDateFormat [7] and FastDateFormat [8]. These
are now deprecated in favor of Java’s standard DateTimeFormatter [9].

If you encounter formatting issues after upgrading—particularly with `n`
or `x` directives—you can temporarily revert to the legacy formatters by
setting the `log4j2.instantFormatter` property to `legacy` [10]. Please
report any issues via our issue tracker [11].

ANSI Support on Windows


Modern Windows versions (10 and newer) provide native ANSI escape
sequence support. As a result, dependency on the outdated JAnsi 1.x
library has been removed. For details, refer to ANSI styling on Windows
[12].

Jakarta JMS Appender
-

A Jakarta-compatible version of the JMS Appender [13] is now included in
the core distribution.

Detailed release notes
---

For all the changes in this release, see the website [14].

Links:
[1] https://www.graalvm.org/latest/reference-manual/native-image/metadata/
[2] https://logging.apache.org/log4j/2.x/manual/graalvm.html
[3]
https://logging.apache.org/log4j/2.x/manual/plugins.html#plugin-registry
[4]
https://logging.staged.apache.org/log4j/2.25.0/manual/pattern-layout.html
[5]
https://logging.apache.org/log4j/2.x/manual/pattern-layout.html#converter-exception-extended
[6]
https://logging.apache.org/log4j/2.x/manual/pattern-layout.html#converter-exception
[7]
https://logging.apache.org/log4j/2.x/javadoc/log4j-core/org/apache/logging/log4j/core/util/datetime/FixedDateFormat.html
[8]
https://logging.apache.org/log4j/2.x/javadoc/log4j-core/org/apache/logging/log4j/core/util/datetime/FastDateFormat.html
[9]
https://docs.oracle.com/javase/8/docs/api/java/time/format/DateTimeFormatter.html
[10]
https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.instantFormatter
[11] https://logging.apache.org/logging-services/support.html#issues
[12]
https://logging.apache.org/log4j/2.x/manual/pattern-layout.html#jansi
[13]
https://logging.apache.org/log4j/2.x/manual/appenders/message-queue.html#JmsAppender
[14]
https://logging.apache.org/log4j/2.x/release-notes.html#release-notes-2-25-0

[ANNOUNCE] Apache Commons FileUpload 2.0.0-M4

[Gary Gregory]

The Apache Commons FileUpload team is pleased to announce the release
of Apache Commons FileUpload 2.0.0-M4.

The Apache Commons FileUpload component provides a simple yet flexible
means of adding support for multipart file upload functionality to
Servlets and web applications. This version requires Java 11 or above.

This release requires Java 11.

Changes in version 2.0.0-M4 include:

New features:
o  SECURITY - CVE-2025-48976. Add partHeaderSizeMax, a new limit that
sets a maximum number of bytes for each individual multipart header.
The default is 512 bytes. Thanks to Mark Thomas.

Fixed Bugs:
o  Simplify exception handling in FileItem API #309. Thanks to Basil Crow.

For complete information on Apache Commons FileUpload, including
instructions on how to submit bug reports, patches, or suggestions for
improvement, see the Apache Commons FileUpload website:

https://commons.apache.org/proper/commons-fileupload/

Download it from
https://commons.apache.org/proper/commons-fileupload/download_fileupload.cgi

Gary Gregory
Apache Commons

Re: [VOTE] Release Apache Log4j `2.25.0` (RC1)

[Piotr P. Karwasz]

Hi all,

On 13.06.2025 20:59, Piotr P. Karwasz wrote:
> This is a vote to release the Apache Log4j `2.25.0`.
> 
> Website: https://logging.staged.apache.org/log4j/2.25.0/index.html
> GitHub: https://github.com/apache/logging-log4j2
> Commit: ea10ad3e78469e43f138853b8c9892bc51bc87ec
> Distribution: https://dist.apache.org/repos/dist/dev/logging/log4j/2.25.0
> Nexus:
> https://repository.apache.org:443/content/repositories/orgapachelogging-1319
> Signing key: 0x077e8893a6dcc33dd4a4d5b256e73ba9a0b592d0
> Review kit:
> https://logging.apache.org/logging-parent/release-review-instructions.html[*]
> 
> Please download, test, and cast your votes on this mailing list and
> optionally on ATR[**].
> 
> [ ] +1, release the artifacts
> [ ] -1, don't release, because...

And this is my +1.

With this the vote passes with 4 binding +1 from Gary Gregory, Jan
Friedrich, Volkan Yazıcı and me.

I will continue the release process.

Piotr