Migrating via compatibility layers is way harder for consumers, and it does not sound like a proper plan for fixing RCE.
The scope of regression testing from 1.x to 2.x+compatibility would be much more for the consumers than the scope of 1.2.17 -> 1.2.18, so it would be way harder for them to test the upgrade. I am sure, there's a lot of in-house forks that effectively cut .net. package from log4j 1.x, so it would be great to acknowlege it and just release 1.2.18 Are you willing to invest your own time on improving the compatibility layer so it covers 99.999% cases? I am investing time in 1.x, and I believe it is urgent. Improving the compatibility layer makes sense, however, it looks like a hard task for both log4j (it would require testing with lots of different apps), and it would be a hard upgrade for the consumers as there might be glitches here and there. Vladimir
