#14 Drop log4j12
Closed 2 years ago by decathorpe. Opened 2 years ago by decathorpe.

Turns out, it's actually easy to replace log4j12 with the log4j 1.2 API shim.

Adapting the BuildRequires and something like %pom_change_dep log4j:log4j org.apache.logging.log4j:log4j-1.2-api should do it for maven-based packages, unless there are OSGi complications.

For ant-based projects, the log4j classpath construction argument needs to be adapted from something like log4j-1 to log4j/log4j-1.2-api.

The list of packages still using log4j 1.2.17 is short:

$ repoquery --whatrequires log4j12

ant-0:1.10.8-4.fc34.src
ant-apache-log4j-0:1.10.8-4.fc34.noarch
apache-commons-configuration-0:1.10-15.fc32.src
apache-commons-logging-0:1.2-23.fc33.src
apache-log4j-extras-0:1.2.17.1-18.fc33.noarch
apache-log4j-extras-0:1.2.17.1-18.fc33.src
azureus-0:5.7.6.0-13.fc34.noarch
azureus-0:5.7.6.0-13.fc34.src
jboss-logging-0:3.4.1-4.fc33.src
jdom2-0:2.0.6-19.fc33.src
pdfbox-0:2.0.21-1.fc34.src
slf4j-0:1.7.30-6.fc33.src
slf4j-log4j12-0:1.7.30-6.fc33.noarch
slf4j-sources-0:1.7.30-6.fc33.noarch
velocity-0:1.7-32.fc33.src
xbean-0:4.15-5.fc33.noarch
xbean-0:4.15-5.fc33.src

  • apache-commons-logging needs adaptations for its OSGi bundle and I don't know how to do that
  • velocity uses RollingFileAppender which is not shipped with the 1.2 API shim, so it looks like it needs a "full port" away from log4j12 :(
  • apache-commons-logging needs adaptations for its OSGi bundle and I don't know how to do that

I took care of this one, simply swapping the dep worked fine for me. Inspecting the OSGi metadata closely showed that it had hard-coded versions that were clearly wrong, but would not have caused any bundle wiring errors because all the deps are marked as optional anyway. Even so, I removed the hard-coded versions from the OSGi metadata.

Switched from log4j12 to log4j2 or dropped dependency:

  • ant
  • apache-commons-logging
  • jboss-logging
  • jdom2
  • pdfbox
  • slf4j
  • xbean

Pending review:

I merged and built the velocity PR.

Now only non-SIG and/or already broken packages require log4j12. I have orphaned it.

Metadata Update from @decathorpe:
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata