Turns out, it's actually easy to replace log4j12 with the log4j 1.2 API shim.
Adapting the BuildRequires and something like %pom_change_dep log4j:log4j org.apache.logging.log4j:log4j-1.2-api should do it for maven-based packages, unless there are OSGi complications.
%pom_change_dep log4j:log4j org.apache.logging.log4j:log4j-1.2-api
For ant-based projects, the log4j classpath construction argument needs to be adapted from something like log4j-1 to log4j/log4j-1.2-api.
The list of packages still using log4j 1.2.17 is short:
$ repoquery --whatrequires log4j12
Switching to log4j 1.2 API shim:
Disabling log4j12 module:
Dropping unnecessary log4j12 dependency:
apache-commons-logging needs adaptations for its OSGi bundle and I don't know how to do that
I took care of this one, simply swapping the dep worked fine for me. Inspecting the OSGi metadata closely showed that it had hard-coded versions that were clearly wrong, but would not have caused any bundle wiring errors because all the deps are marked as optional anyway. Even so, I removed the hard-coded versions from the OSGi metadata.
Switched from log4j12 to log4j2 or dropped dependency:
I merged and built the velocity PR.
Now only non-SIG and/or already broken packages require log4j12. I have orphaned it.
Metadata Update from @decathorpe:
- Issue status updated to: Closed (was: Open)
to comment on this ticket.