I'll cancel this vote. I will downgrade log4j to 1.23.1 which we used in the last POI release.
There is a log4j-bom and that would help many users ensure that their various log4j jars have matching versions. https://logging.apache.org/log4j/2.x/components.html#log4j-bom I still think it is safest for POI to downgrade and we will need a place in our docs to warn people about log4j 2.24+. I have to admit to long avoiding log4j - even prior to the major security scare. I always felt that it was too complicated for a logging framework and complexity leads to difficulties in texting all the various potential setups. I lost the POI discussion when I tried to keep POI away from log4j (and to stick with slf4j). On 2024/11/11 09:01:17 Dominik Stadler wrote: > Yes, the only workaround would be to downgrade log4j-api to 2.24.0 to avoid > the change for now. > > Regards... D. > > On Sun, 10 Nov 2024, 22:21 PJ Fanning, <fannin...@apache.org> wrote: > > > Let's see what happens with apache/logging-log4j2/issues/3196. > > > > I don't see any tidy workaround in POI. > > > > We may just need to release note this. > > > > On 2024/11/10 11:31:00 Dominik Stadler wrote: > > > See https://github.com/apache/logging-log4j2/issues/3196 for details. > > > > > > Seems having a combination of log4j-api:2.24.1 and log4j-core:2.24.0 is > > > broken, but we likely end up in such situations. > > > > > > Downgrading log4j-api to 2.24.0 for now would avoid running into this for > > > now. Should we re-spin the release? Otherwise we should at least add a > > note > > > to the release notes/changelog instructing to upgrade log4j-core to > > 2.24.1 > > > as well. > > > > > > Regards... Dominik. > > > > > > > > > On Sun, Nov 10, 2024 at 9:49 AM Dominik Stadler <dominik.stad...@gmx.at> > > > wrote: > > > > > > > Hi, > > > > > > > > I started to test a bit with the RC, I see a strange problem related to > > > > Log4j, the static getLogger() returns null when using POI 5.4.0 and > > Log4j > > > > 2.24.0 in a sample project. > > > > > > > > When updating Log4j to 2.24.1, it works again. > > > > > > > > So sounds like a regression in Log4j 2.24.1 when combined with 2.24.0, > > > > which would be strange. > > > > > > > > This reproduces with a very simple project, e.g. running "./gradlew > > > > runWriteFile -PpoiVersion=5.4.0" in a checkout of > > > > https://github.com/centic9/poi-reproduce > > > > > > > > Would be interesting if others see the same! > > > > > > > > Thanks... Dominik. > > > > > > > > > > > > On Fri, Nov 8, 2024 at 8:04 PM PJ Fanning <fannin...@yahoo.com.invalid > > > > > > > wrote: > > > > > > > >> Hello POI Community, > > > >> > > > >> This is a call for a vote to release Apache POI version 5.4.0 (RC1). > > > >> > > > >> The discussion thread: > > > >> https://lists.apache.org/thread/fjxgn9rjo5x8ho9ssnow32mrrrotlhgj > > > >> > > > >> The release candidate: > > > >> https://dist.apache.org/repos/dist/dev/poi/5.4.0-RC1/ > > > >> > > > >> > > > >> This release has been signed with a PGP key available here: > > > >> https://downloads.apache.org/poi/KEYS > > > >> > > > >> Release Notes: > > > >> https://dist.apache.org/repos/dist/dev/poi/RELEASE-NOTES-5.4.0.txt > > > >> > > > >> > > > >> I will add the svn tag REL_5_4_0 if the vote passes. > > > >> > > > >> Svn commit ID: https://svn.apache.org/repos/asf/poi/trunk@1921817 > > > >> > > > >> > > > >> > > > >> Please download, verify, and test. > > > >> > > > >> > > > >> We have also staged jars in the Apache Nexus Repository. > > > >> These were built with the same code as appears in this Source Release > > > >> Candidate. > > > >> We would appreciate if users could test with these too. > > > >> > > > >> If anyone finds any serious problems with these jars, please also > > notify > > > >> us on this thread. > > > >> > > > >> https://repository.apache.org/content/groups/staging/org/apache/poi/ > > > >> > > > >> In gradle, you can add this repository. > > > >> > > > >> maven { > > > >> url "https://repository.apache.org/content/groups/staging/"; > > > >> } > > > >> > > > >> > > > >> The VOTE will pass if we have more positive votes than negative votes > > > >> and there must be a minimum of 3 approvals from POI PMC members. > > > >> > > > >> I will leave the vote open for at least a week. > > > >> > > > >> [ ] +1 approve > > > >> [ ] +0 no opinion > > > >> [ ] -1 disapprove with the reason > > > >> > > > >> To learn more about Apache POI, please see https://poi.apache.org/ > > > >> > > > >> > > > >> Checklist for reference: > > > >> [ ] Download links are valid. > > > >> [ ] Checksums and signatures. > > > >> [ ] LICENSE/NOTICE files exist > > > >> [ ] No unexpected binary files > > > >> [ ] Source files have ASF headers > > > >> [ ] Can compile from source > > > >> > > > >> > > > >> To compile from the source, please refer to: > > > >> https://poi.apache.org/devel/index.html > > > >> > > > >> Some notes about verifying downloads can be found at: > > > >> https://poi.apache.org/download.html > > > >> > > > >> > > > >> Here is my +1 (binding). > > > >> > > > >> > > > >> Thanks, > > > >> PJ Fanning (Apache POI PMC member) > > > >> > > > >> --------------------------------------------------------------------- > > > >> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > > > >> For additional commands, e-mail: dev-h...@poi.apache.org > > > >> > > > >> > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > > For additional commands, e-mail: dev-h...@poi.apache.org > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
