No objections if you are volunteering to do the work. I do have concerns. Unless a new set of contributors wants to become part of the logging project and support Log4j 1 we do not want to give the impression that it is being supported.
Ralph > On Dec 15, 2021, at 10:14 AM, Leo Simons <[email protected]> wrote: > > Hey folks, > > First, thanks for all the hard work on 2.x, especially these last couple of > weeks! > Please take care of yourself and be kind to yourself :) > Obviously 2.x should get full focus from all that can productively > contribute to it. > > I do agree with Vladimir about giving 1.x a little attention. > With the whole world doing forensics it is clear how widespread 1.x still > is. > Seems worth it to make a slightly safer lib, for all those people that > cannot easily upgrade to 2.x, so they can just drop in a new jar. > > I investigated the current build a bit. Notes below mail. > It -does- seem feasible for a logging.a.o committer with SVN write access + > people.apache.org access to make a new 1.x release 'the ancient way' with > limited effort. > I.e. https://logging.apache.org/log4j/1.2/building.html is mostly workable > today. > But...then you are stuck with very old-style library maintenance. > Best clean house a bit more (right?). > > If cleanup is the way to go, seems some next steps include > * convert with svn2git > * I kicked off a run, takes a few hours > * bump the build toolchain up to modern standards/versions > * set up OpenJDK 6 as a mvn toolchain for compiling, for max > compatibility (toolchain pom.xml patch below). > * use any version of Maven 3 on an LTS version of Ubuntu with any JDK > (7+), clean up the build setup, delete some ancient cruft. > * don't bother releasing new binary versions of the windows DLLs, people > who need them can use the old DLLs or build from source. > * make some patches to delete vulnerable/network code > * perhaps add some warnings for now-unsupported (JMS) config > * add tests proving the new behavior > * write some docs on how to use the new version and link to 2.x upgrade > instructions > * draft some release notes > * fix generated site > * include the end-of-life disclaimer that's in the HTML (into template?) > * update with additional instructions > * make the site setup work with apache cms > * make it real easy to review the result, bake & propose an RC > * hand off to committers/PMC for release > > Make sense? Any suggestions or objections? > > Nothing too hard, just grunt work :) > > > Cheers, > > > Leo > > > Main findings > ------------- > * Main build is "fine" > * Log4J 1.x seems to build fine with modern JDK and modern Maven 3, > with source/target=1.4 set > * Log4J 1.x seems to build fine on ubuntu 14.0.4.6, with JDK 1.7 for > maven plus JDK 1.6 toolchain for compile, and an ancient Maven 3 > * probably best to pick this option 'for safety' > * see detailed howto below > * Compiles fine, tests pass > * Maven release plugin seems setup correctly and working > * needs committer with SVN write access to do `maven > release:prepare; maven release:perform` > * JNI/native build is not worrisome > * I did not attempt to re-build the NT DLLs, but this is not needed to > ship a new source dist or new jar, any users can pick old .dll with new jar > * jnd_md.h referred in build is easy to get: version from Oracle JDK 6 > is identical to OpenJDK 11 version aside from license header > * Site > * Maven site generates ok, but > * publishing instructions are wrong > * misses the end of life header > * Probably HTML site was edited by hand to add this header? > * Would suggest to simply edit HTML by hand some more > > Detailed steps to produce a build > --------------------------------- > * download and install virtualbox > * download and install ubuntu 14.04.6 LTS 64 bit VM > * https://www.osboxes.org/ubuntu/ > * this is the oldest supported LTS ubuntu > * ubuntu 12.04 LTS is closer but is unsupported > * this has openjdk 6 > * password osboxes.org > * apt-get dist-upgrade && reboot > * install virtualbox guest additions and reboot > * https://www.osboxes.org/guide/ > * to get jni_md.h: > * this does not seem to be strictly needed to make a release, the > native build gets skipped on linux > * best option: get it from > https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/windows/native/include/jni_md.h > * this is GPLv2 + classpath exception, classpath exception makes it > fine to use here > * cumbersome: download and install IE11 on Windows 7 64 bit VM > * https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ > * password Passw0rd! > * run windows update and reboot > * install virtualbox guest additions and reboot > * https://www.osboxes.org/guide/ > * download and install sun/oracle JDK 6u41 (matching ubuntu) > * > https://www.oracle.com/java/technologies/javase-java-archive-javase6-downloads.html > * open \Program Files\Java\jdk_1.6.....\include\win32 > * copy jni_md.h and paste to homedir on ubuntu > * alternative: get it from https://github.com/lsimons/jni_md.h > * got this file using the steps above > * don't use by downloading from here, that might be a bit illegal > in your jurisdiction > * proves it is the same file as in JDK11 as per above > > * follow rest of build instructions > * apt-get install openjdk-6-jdk > * apt-get install maven2 subversion mingw32 xemacs21 openssh-server > * sudo cp /mnt/Downloads/jni_md.h ~osboxes/ > * sudo chown osboxes:osboxes ~osboxes/jni_md.h > * export JNI_WIN32_INCLUDE_DIR=/home/osboxes > * export SVN_EDITOR=xemacs21 > * mkdir ~/.m2 > * cat >~/.m2/settings.xml <<END > <settings > xmlns="http://maven.apache.org/SETTINGS/1.0.0"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 > https://maven.apache.org/xsd/settings-1.0.0.xsd";> > <!--<mirrors> > <mirror> > <id>central-https</id> > <name>Central over HTTPS</name> > <url>https://repo1.maven.org/maven2</url> > <mirrorOf>central</mirrorOf> > </mirror> > </mirrors>--> > <profiles> > <profile> > <id>https</id> > <activation> > <activeByDefault>true</activeByDefault> > </activation> > <repositories> > <repository> > <id>central</id> > <name>Central Repository</name> > <url>https://repo1.maven.org/maven2</url> > <layout>default</layout> > <snapshots> > <enabled>false</enabled> > </snapshots> > </repository> > </repositories> > <pluginRepositories> > <pluginRepository> > <id>central</id> > <name>Central Repository</name> > <url>https://repo1.maven.org/maven2</url> > <layout>default</layout> > <snapshots> > <enabled>false</enabled> > </snapshots> > <releases> > <updatePolicy>never</updatePolicy> > </releases> > </pluginRepository> > </pluginRepositories> > </profile> > </profiles> > </settings> > END > * svn co http://svn.apache.org/repos/asf/logging/log4j/trunk log4j > * cd log4j > * mvn package release:prepare > fails with: > > [WARNING] Unable to get resource > 'org.apache.felix:maven-bundle-plugin:pom:2.1.0' from repository central ( > https://repo.maven.apache.org/maven2): Error transferring file: Received > fatal alert: protocol_version > Downloading: > https://repo.maven.apache.org/maven2/org/apache/felix/maven-bundle-plugin/2.1.0/maven-bundle-plugin-2.1.0.pom > > so...maven 3 it is. That needs JDK 7. > > * sudo apt-get install openjdk-7-jdk > * sudo apt-get install maven # 3.0.5... > * sudo update-alternatives --config mvn > * vi ~/log4j/pom.xml > > * patch pom.xml <<END > Index: pom.xml > =================================================================== > --- pom.xml (revision 1895980) > +++ pom.xml (working copy) > @@ -89,6 +88,26 @@ > <plugins> > <plugin> > <groupId>org.apache.maven.plugins</groupId> > + <artifactId>maven-toolchains-plugin</artifactId> > + <version>1.1</version> > + <executions> > + <execution> > + <goals> > + <goal>toolchain</goal> > + </goals> > + </execution> > + </executions> > + <configuration> > + <toolchains> > + <jdk> > + <version>1.6</version> > + <vendor>openjdk</vendor> > + </jdk> > + </toolchains> > + </configuration> > + </plugin> > + <plugin> > + <groupId>org.apache.maven.plugins</groupId> > <artifactId>maven-resources-plugin</artifactId> > <configuration> > <encoding>UTF-8</encoding> > END > > * cat >~/.m2/toolchains.xml <<END > <?xml version="1.0" encoding="UTF-8"?> > <toolchains> > <!-- JDK toolchains --> > <toolchain> > <type>jdk</type> > <provides> > <version>1.6</version> > <vendor>openjdk</vendor> > </provides> > <configuration> > <jdkHome>/usr/lib/jvm/java-1.6.0-openjdk-amd64</jdkHome> > </configuration> > </toolchain> > </toolchains> > END > * mv ~/.m2/settings.xml ~/.m2/settings.xml.bak # that was for maven 2 > > * mvn package release:prepare with settings: > > [INFO] Checking dependencies and plugins for snapshots ... > What is the release version for "Apache Log4j"? (log4j:log4j) 1.2.18: : > 1.2.18-RC1 > What is SCM release tag or label for "Apache Log4j"? (log4j:log4j) > log4j-1.2.18-RC1: : v1.2.18-RC1 > What is the new development version for "Apache Log4j"? (log4j:log4j) > 1.2.18-RC2-SNAPSHOT: : 1.2.18-RC2-SNAPSHOT > [INFO] Transforming 'Apache Log4j'... > > fails at the very end due to permissions (good): > > [INFO] Executing: /bin/sh -c cd /home/osboxes/log4j && svn > --non-interactive commit --file /tmp/maven-scm-895115457.commit --targets > /tmp/maven-scm-5194221240786270512-targets > [ERROR] svn: E175013: Commit failed (details follow): > [ERROR] svn: E175013: POST of '/repos/asf/!svn/me': 403 Forbidden ( > http://svn.apache.org) > > * mvn site assembly:assembly also works, but shows an old site!
