Turns out, it's actually easy to replace log4j12 with the log4j 1.2 API shim.
Adapting the BuildRequires and something like %pom_change_dep log4j:log4j org.apache.logging.log4j:log4j-1.2-api should do it for maven-based packages, unless there are OSGi complications.
%pom_change_dep log4j:log4j org.apache.logging.log4j:log4j-1.2-api
For ant-based projects, the log4j classpath construction argument needs to be adapted from something like log4j-1 to log4j/log4j-1.2-api.
log4j-1
log4j/log4j-1.2-api
The list of packages still using log4j 1.2.17 is short:
$ repoquery --whatrequires log4j12 ant-0:1.10.8-4.fc34.src ant-apache-log4j-0:1.10.8-4.fc34.noarch apache-commons-configuration-0:1.10-15.fc32.src apache-commons-logging-0:1.2-23.fc33.src apache-log4j-extras-0:1.2.17.1-18.fc33.noarch apache-log4j-extras-0:1.2.17.1-18.fc33.src azureus-0:5.7.6.0-13.fc34.noarch azureus-0:5.7.6.0-13.fc34.src jboss-logging-0:3.4.1-4.fc33.src jdom2-0:2.0.6-19.fc33.src pdfbox-0:2.0.21-1.fc34.src slf4j-0:1.7.30-6.fc33.src slf4j-log4j12-0:1.7.30-6.fc33.noarch slf4j-sources-0:1.7.30-6.fc33.noarch velocity-0:1.7-32.fc33.src xbean-0:4.15-5.fc33.noarch xbean-0:4.15-5.fc33.src
Switching to log4j 1.2 API shim:
Disabling log4j12 module:
Dropping unnecessary log4j12 dependency:
RollingFileAppender
apache-commons-logging needs adaptations for its OSGi bundle and I don't know how to do that
I took care of this one, simply swapping the dep worked fine for me. Inspecting the OSGi metadata closely showed that it had hard-coded versions that were clearly wrong, but would not have caused any bundle wiring errors because all the deps are marked as optional anyway. Even so, I removed the hard-coded versions from the OSGi metadata.
Switched from log4j12 to log4j2 or dropped dependency:
Pending review:
I merged and built the velocity PR.
Now only non-SIG and/or already broken packages require log4j12. I have orphaned it.
Metadata Update from @decathorpe: - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.