log4j-api 2.23.1 is recommended. All POI and XMLBeans users and probably any other log4j users - I strongly recommend avoiding log4j-api 2.24.1.
Unfortunately, log4j changes are outside our control - so direct any questions or issues to the log4j team. * https://github.com/apache/logging-log4j2 * https://github.com/apache/logging-log4j2/issues/3143 On Monday 11 November 2024 at 17:31:54 GMT+1, stanton fisque <sfis...@gmail.com> wrote: just so there is no confusion, the re-target version would be 2.23.1, correct? Stanton Fisque principal technologist latticeware.com portland, oregon > On Nov 11, 2024, at 05:29 AM, PJ Fanning <fannin...@apache.org> wrote: > > I'll cancel this vote. > > I will downgrade log4j to 1.23.1 which we used in the last POI release. > > There is a log4j-bom and that would help many users ensure that their various > log4j jars have matching versions. > https://logging.apache.org/log4j/2.x/components.html#log4j-bom > > I still think it is safest for POI to downgrade and we will need a place in > our docs to warn people about log4j 2.24+. > > I have to admit to long avoiding log4j - even prior to the major security > scare. I always felt that it was too complicated for a logging framework and > complexity leads to difficulties in texting all the various potential setups. > I lost the POI discussion when I tried to keep POI away from log4j (and to > stick with slf4j). > > > On 2024/11/11 09:01:17 Dominik Stadler wrote: >> Yes, the only workaround would be to downgrade log4j-api to 2.24.0 to avoid >> the change for now. >> >> Regards... D. >> >> On Sun, 10 Nov 2024, 22:21 PJ Fanning, <fannin...@apache.org> wrote: >> >>> Let's see what happens with apache/logging-log4j2/issues/3196. >>> >>> I don't see any tidy workaround in POI. >>> >>> We may just need to release note this. >>> >>> On 2024/11/10 11:31:00 Dominik Stadler wrote: >>>> See https://github.com/apache/logging-log4j2/issues/3196 for details. >>>> >>>> Seems having a combination of log4j-api:2.24.1 and log4j-core:2.24.0 is >>>> broken, but we likely end up in such situations. >>>> >>>> Downgrading log4j-api to 2.24.0 for now would avoid running into this for >>>> now. Should we re-spin the release? Otherwise we should at least add a >>> note >>>> to the release notes/changelog instructing to upgrade log4j-core to >>> 2.24.1 >>>> as well. >>>> >>>> Regards... Dominik. >>>> >>>> >>>> On Sun, Nov 10, 2024 at 9:49 AM Dominik Stadler <dominik.stad...@gmx.at> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> I started to test a bit with the RC, I see a strange problem related to >>>>> Log4j, the static getLogger() returns null when using POI 5.4.0 and >>> Log4j >>>>> 2.24.0 in a sample project. >>>>> >>>>> When updating Log4j to 2.24.1, it works again. >>>>> >>>>> So sounds like a regression in Log4j 2.24.1 when combined with 2.24.0, >>>>> which would be strange. >>>>> >>>>> This reproduces with a very simple project, e.g. running "./gradlew >>>>> runWriteFile -PpoiVersion=5.4.0" in a checkout of >>>>> https://github.com/centic9/poi-reproduce >>>>> >>>>> Would be interesting if others see the same! >>>>> >>>>> Thanks... Dominik. >>>>> >>>>> >>>>> On Fri, Nov 8, 2024 at 8:04 PM PJ Fanning <fannin...@yahoo.com.invalid >>>> >>>>> wrote: >>>>> >>>>>> Hello POI Community, >>>>>> >>>>>> This is a call for a vote to release Apache POI version 5.4.0 (RC1). >>>>>> >>>>>> The discussion thread: >>>>>> https://lists.apache.org/thread/fjxgn9rjo5x8ho9ssnow32mrrrotlhgj >>>>>> >>>>>> The release candidate: >>>>>> https://dist.apache.org/repos/dist/dev/poi/5.4.0-RC1/ >>>>>> >>>>>> >>>>>> This release has been signed with a PGP key available here: >>>>>> https://downloads.apache.org/poi/KEYS >>>>>> >>>>>> Release Notes: >>>>>> https://dist.apache.org/repos/dist/dev/poi/RELEASE-NOTES-5.4.0.txt >>>>>> >>>>>> >>>>>> I will add the svn tag REL_5_4_0 if the vote passes. >>>>>> >>>>>> Svn commit ID: https://svn.apache.org/repos/asf/poi/trunk@1921817 >>>>>> >>>>>> >>>>>> >>>>>> Please download, verify, and test. >>>>>> >>>>>> >>>>>> We have also staged jars in the Apache Nexus Repository. >>>>>> These were built with the same code as appears in this Source Release >>>>>> Candidate. >>>>>> We would appreciate if users could test with these too. >>>>>> >>>>>> If anyone finds any serious problems with these jars, please also >>> notify >>>>>> us on this thread. >>>>>> >>>>>> https://repository.apache.org/content/groups/staging/org/apache/poi/ >>>>>> >>>>>> In gradle, you can add this repository. >>>>>> >>>>>> maven { >>>>>> url "https://repository.apache.org/content/groups/staging/"; >>>>>> } >>>>>> >>>>>> >>>>>> The VOTE will pass if we have more positive votes than negative votes >>>>>> and there must be a minimum of 3 approvals from POI PMC members. >>>>>> >>>>>> I will leave the vote open for at least a week. >>>>>> >>>>>> [ ] +1 approve >>>>>> [ ] +0 no opinion >>>>>> [ ] -1 disapprove with the reason >>>>>> >>>>>> To learn more about Apache POI, please see https://poi.apache.org/ >>>>>> >>>>>> >>>>>> Checklist for reference: >>>>>> [ ] Download links are valid. >>>>>> [ ] Checksums and signatures. >>>>>> [ ] LICENSE/NOTICE files exist >>>>>> [ ] No unexpected binary files >>>>>> [ ] Source files have ASF headers >>>>>> [ ] Can compile from source >>>>>> >>>>>> >>>>>> To compile from the source, please refer to: >>>>>> https://poi.apache.org/devel/index.html >>>>>> >>>>>> Some notes about verifying downloads can be found at: >>>>>> https://poi.apache.org/download.html >>>>>> >>>>>> >>>>>> Here is my +1 (binding). >>>>>> >>>>>> >>>>>> Thanks, >>>>>> PJ Fanning (Apache POI PMC member) >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org >>>>>> For additional commands, e-mail: dev-h...@poi.apache.org >>>>>> >>>>>> >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org >>> For additional commands, e-mail: dev-h...@poi.apache.org >>> >>> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > For additional commands, e-mail: dev-h...@poi.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
