Breaking changes in Log4j API 3.x

2023-10-09 Thread Piotr P. Karwasz
Hi all, We have often declared that 3.x will **not** constitute a major version for Log4j API and that everything that used to work with 2.x will work with 3.x (even provider code). However that statement does not apply in practice, since some breaking changes **were** introduced e.g. in the `uti

Re: Breaking changes in Log4j API 3.x

2023-10-09 Thread Gary Gregory
I think it is OK to break compatibility in a major version. I can't believe we'd ship classes that are duplicates of Java classes like BiConsumer. Gary On Mon, Oct 9, 2023, 4:17 AM Piotr P. Karwasz wrote: > Hi all, > > We have often declared that 3.x will **not** constitute a major > version fo

RE: [log4j] Improving log4j security

2023-10-09 Thread Klebanov, Vladimir
Thanks, Piotr. I don't know what happened to your replies (maybe the spam filter dropped them), but I am happy that we recovered from that now. Log injections are definitely security issues, but if you prefer to talk about them in the open, I will follow suit. For context: a log injection occur

Re: Breaking changes in Log4j API 3.x

2023-10-09 Thread Ralph Goers
I think you are on the right track. We have to think of the main use case where a break in compatibility would cause a problem - an application uses libraries compiled with Log4j 2.x. I am much less concerned about custom plugins as presumably the user has some control over them. That said, I w

[all] Sonarcloud

2023-10-09 Thread Christian Grobmeier
Hi, I added a fork of Chainsaw to Sonarcloud, which I find very helpful: https://sonarcloud.io/summary/overall?id=grobmeier_logging-chainsaw I asked Infra, and they would add projects by request to Sonarcloud. If you are interested, I'd like to add that to our repos. If not, it is fine because

Re: [chainsaw] What is necessary for a 2.2 release?

2023-10-09 Thread Christian Grobmeier
On Sun, Oct 8, 2023, at 23:19, Scott Deboy wrote: > I started but haven't had much time this week. The UI updates driven by > settings changes are most of what I have left. OK great to hear, in that case I hold myself back a little longer :) Thanks! > > On Sun, Oct 8, 2023, 2:17 PM Christian Gro

Re: [all] Sonarcloud

2023-10-09 Thread Piotr P. Karwasz
Hi Christian, On Mon, 9 Oct 2023 at 21:24, Christian Grobmeier wrote: > I asked Infra, and they would add projects by request to Sonarcloud. > > If you are interested, I'd like to add that to our repos. Sounds good to me. Right now I am checking the major "bugs" found by SpotBugs, but using mult

Re: [log4j] Improving log4j security

2023-10-09 Thread Volkan Yazıcı
*[I am sharing my earlier response (almost) verbatim below.]* I would like to address your both old and the most recent email *myself* – that is, it only reflects my personal view, and not of the PMC. > A HTML-safe layout is only achieved if > defined akin to: > > `. > Would Log4j be willi

Re: Breaking changes in Log4j API 3.x

2023-10-09 Thread Volkan Yazıcı
I doubt a majority of the external plugins would work against `3.x`. I raised this issue on July 25th , though I didn't get any reactions. On Mon, Oct 9, 2023 at 8:57 PM Ralph Goers wrote: > I think you are on the right track. We

Re: Breaking changes in Log4j API 3.x

2023-10-09 Thread Piotr P. Karwasz
Hi Gary, On Mon, 9 Oct 2023 at 13:04, Gary Gregory wrote: > I think it is OK to break compatibility in a major version. I can't believe > we'd ship classes that are duplicates of Java classes like BiConsumer. I would very much like to add breaking changes to Log4j API too, but we can not reasona

Re: Breaking changes in Log4j API 3.x

2023-10-09 Thread Piotr P. Karwasz
On Mon, 9 Oct 2023 at 20:57, Ralph Goers wrote: > We cannot put users in a position where they cannot upgrade until all their > dependencies do. I agree, at work I still had a lot of libraries that depended on Commons Lang 2, although > Note that Spring Boot builds with Log4j 2.x. It needs acce

Re: [log4j] Improving log4j security

2023-10-09 Thread Christian Grobmeier
Since Piotrs response went to spam (thanks for confirming) I'd like to make sure you reveived Volkans questions as well. Please let me know if you did. If you didn't, he sent his response to the mailing list, if you need help subscribing, please let me know On Mon, Oct 9, 2023, at 22:28, Volk

Re: Breaking changes in Log4j API 3.x

2023-10-09 Thread Ralph Goers
> On Oct 9, 2023, at 2:14 PM, Piotr P. Karwasz wrote: > > On Mon, 9 Oct 2023 at 20:57, Ralph Goers wrote: >> We cannot put users in a position where they cannot upgrade until all their >> dependencies do. > > I agree, at work I still had a lot of libraries that depended on > Commons Lang 2,

Re: [log4j] Improving log4j security

2023-10-09 Thread Ralph Goers
Also note that you can use lists.apache.org to view the emails of any public ASF list to ensure you didn’t miss any. Ralph > On Oct 9, 2023, at 4:14 PM, Christian Grobmeier wrote: > > Since Piotrs response went to spam (thanks for confirming) I'd like to make > sure