Re: [VOTE] KIP-719: Add Log4J2 Appender

2021-06-11 Thread Boojapho O 
+1 (non-binding)

On 2021/06/09 15:31:13, Dongjin Lee  wrote: 
> Bumping up the voting thread.
> 
> Please note that today is the KIP freeze day.
> 
> Thanks,
> Dongjin
> 
> On Mon, Jun 7, 2021 at 9:28 PM Dongjin Lee  wrote:
> 
> > Bumping up the voting thread.
> >
> >
> > As a reminder: Please note that without the Log4j2 appender, we can't
> > complete KIP-653: Upgrade log4j to log4j2
> > 
> >  (accepted)
> > since we can't entirely remove the log4j artifact from the classpath for
> > the tools dependency.
> >
> >
> > Best,
> >
> > Dongjin
> >
> > On Tue, May 25, 2021 at 10:45 PM Dongjin Lee  wrote:
> >
> >> Hi Kafka dev,
> >>
> >> I'd like to kick-off the voting for KIP-719: Add Log4J2 Appender.
> >>
> >>
> >> https://cwiki.apache.org/confluence/display/KAFKA/KIP-719%3A+Add+Log4J2+Appender
> >>
> >> Best,
> >> Dongjin
> >>
> >> --
> >> *Dongjin Lee*
> >>
> >> *A hitchhiker in the mathematical world.*
> >>
> >>
> >>
> >> *github:  github.com/dongjinleekr
> >> keybase: https://keybase.io/dongjinleekr
> >> linkedin: kr.linkedin.com/in/dongjinleekr
> >> speakerdeck: 
> >> speakerdeck.com/dongjin
> >> *
> >>
> >
> >
> > --
> > *Dongjin Lee*
> >
> > *A hitchhiker in the mathematical world.*
> >
> >
> >
> > *github:  github.com/dongjinleekr
> > keybase: https://keybase.io/dongjinleekr
> > linkedin: kr.linkedin.com/in/dongjinleekr
> > speakerdeck: 
> > speakerdeck.com/dongjin
> > *
> >
> 
> 
> -- 
> *Dongjin Lee*
> 
> *A hitchhiker in the mathematical world.*
> 
> 
> 
> *github:  github.com/dongjinleekr
> keybase: https://keybase.io/dongjinleekr
> linkedin: kr.linkedin.com/in/dongjinleekr
> speakerdeck: speakerdeck.com/dongjin
> *
>

Re: [DISCUSS] KIP-719: Add Log4J2 Appender

2021-06-11 Thread Boojapho O 
Continuing to use log4j would leave several known security vulnerabilities in 
Apache Kafka, including https://nvd.nist.gov/vuln/detail/CVE-2019-17571.  The 
Apache log4j team will not fix this vulnerability and is urging an upgrade to 
log4j2.  See https://logging.apache.org/log4j/1.2/ for further information.

This is desperately needed in Apache 3.0 to keep the software secure.

On 2021/05/26 12:31:20, Dongjin Lee  wrote: 
> CC'd the +1ers of KIP-653 with detailed context:
> 
> When I submitted and got the approval of KIP-653: Upgrade log4j to log4j2
> ,
> I thought the log4j2-appender should not be the scope of the work. But it
> was wrong.
> 
> Since the VerifiableLog4jAppender tool is built upon log4j-appender, log4j
> 1.x artifact will co-exist with log4j2 artifact in the classpath within
> this scheme. Since the log4j 1.x code is not called anymore, I thought it
> is not problematic but actually, it was not - when I started to provide a
> preview of KIP-653
> , some
> users reported that sometimes slf4j fails to find the appropriate binding
> within the classpath, resulting fail to append the log message.
> 
> To resolve this problem, I subtly adjusted the scope of the work; I
> excluded Tools and Trogdor from KIP-653 and extended KIP-719 to take care
> of them instead, along with providing log4j2-appender. It is why the
> current WIP implementations include some classpath logic in the shell
> script and *why KIP-653 only can't complete the log4j2 migration*.
> 
> I hope you will check this proposal out.
> 
> Best,
> Dongjin
> 
> On Tue, May 25, 2021 at 10:43 PM Dongjin Lee  wrote:
> 
> > Bumping up the discussion thread.
> >
> > Recently, I updated the document of KIP-653: Upgrade log4j to log4j2
> > 
> >  (accepted)
> > and KIP-719: Add Log4J2 Appender
> > 
> >  (under
> > discussion) reflecting the recent changes to our codebase. Especially:
> >
> > 1. KIP-653 document
> > 
> >  now
> > explains which modules will be migrated and why.
> > 2. KIP-719 document
> > 
> >  now
> > explains not only the log4j2-appender plan but also upgrading the omitted
> > modules in KIP-653 into log4j2.
> >
> > As you can see here, those two KIPs are the different parts of the same
> > problem. I believe the community will have a good grasp on why both KIPs
> > are best if released altogether.
> >
> > I will open the voting thread now, and please leave a vote if you are
> > interested in this issue.
> >
> > Best,
> > Dongjin
> >
> > On Tue, Mar 2, 2021 at 5:00 PM Dongjin Lee  wrote:
> >
> >> Hi Kafka dev,
> >>
> >> I would like to start the discussion of KIP-719: Add Log4J2 Appender.
> >>
> >>
> >> https://cwiki.apache.org/confluence/display/KAFKA/KIP-719%3A+Add+Log4J2+Appender
> >>
> >> All kinds of feedbacks are greatly appreciated!
> >>
> >> Best,
> >> Dongjin
> >>
> >> --
> >> *Dongjin Lee*
> >>
> >> *A hitchhiker in the mathematical world.*
> >>
> >>
> >>
> >> *github:  github.com/dongjinleekr
> >> keybase: https://keybase.io/dongjinleekr
> >> linkedin: kr.linkedin.com/in/dongjinleekr
> >> speakerdeck: 
> >> speakerdeck.com/dongjin
> >> *
> >>
> >
> >
> > --
> > *Dongjin Lee*
> >
> > *A hitchhiker in the mathematical world.*
> >
> >
> >
> > *github:  github.com/dongjinleekr
> > keybase: https://keybase.io/dongjinleekr
> > linkedin: kr.linkedin.com/in/dongjinleekr
> > speakerdeck: 
> > speakerdeck.com/dongjin
> > *
> >
> 
> 
> -- 
> *Dongjin Lee*
> 
> *A hitchhiker in the mathematical world.*
> 
> 
> 
> *github:  github.com/dongjinleekr
> keybase: https://keybase.io/dongjinleekr
> linkedin: kr.linkedin.com/in/dongjinleekr
> speakerdeck: speakerdeck.com/dongjin
> *
>