+1 I think it makes sense to use reload4j in maint releases.
I have a draft PR doing this (https://github.com/apache/hadoop/pull/3906)
log4j2 in Hadoop 3.4.0 makes sense to me. There could be incompatibilities
introduced by log4j2, but I feel we should at least make it 3.4.0 a
"preview" release, a
For maintenance release line I also support we switch to reload4j to
address the security issues first. We could file an issue for it.
Andrew Purtell 于2022年1月21日 周五01:15写道:
> Just to clarify: I think you want to upgrade to Log4J2 (or switch to
> LogBack) as a strategy for new releases, but you ha
The EventCounter class has already been removed in HADOOP-17524.
And on the filters, by default log4j1.2 bridge has log4j1 filter support,
but as said above, maybe it is not fully functional if you have some
advanced usage. So mind providing more information about how we use filters
in Hadoop?
Th
On Thu, 20 Jan 2022 at 17:15, Andrew Purtell
wrote:
> Just to clarify: I think you want to upgrade to Log4J2 (or switch to
> LogBack) as a strategy for new releases, but you have the option in
> maintenance releases to use Reload4J to maintain Appender API and
> operational compatibility, and use
Just to clarify: I think you want to upgrade to Log4J2 (or switch to LogBack)
as a strategy for new releases, but you have the option in maintenance releases
to use Reload4J to maintain Appender API and operational compatibility, and
users who want to minimize risks in production while mitigatin
Reload4J has fixed all of those CVEs without requiring an upgrade.
> On Jan 20, 2022, at 5:56 AM, Duo Zhang wrote:
>
> There are 3 new CVEs for log4j1 reported recently[1][2][3]. So I think it
> is time to speed up the migration to log4j2 work[4] now.
>
> You can see the discussion on the jir
Hi Duo,
Thank you for starting this discussion. Log4j1.2 bridge seems like a practical
short-term solution. However the bridge will silently affect applications that
add appenders or filters. NameNode audit logger and metrics come to mind. There
may be others.
Thanks,
Arpit
> On Jan 20, 2022
There are 3 new CVEs for log4j1 reported recently[1][2][3]. So I think it
is time to speed up the migration to log4j2 work[4] now.
You can see the discussion on the jira issue[4], our goal is to fully
migrate to log4j2 and the current most blocking issue is lack of the
"log4j.rootLogger=INFO,Conso
