Return-Path: Delivered-To: apmail-ws-axis-dev-archive@www.apache.org Received: (qmail 95572 invoked from network); 4 Apr 2005 10:51:07 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 4 Apr 2005 10:51:07 -0000 Received: (qmail 48269 invoked by uid 500); 4 Apr 2005 10:51:03 -0000 Delivered-To: apmail-ws-axis-dev-archive@ws.apache.org Received: (qmail 48241 invoked by uid 500); 4 Apr 2005 10:51:03 -0000 Mailing-List: contact axis-dev-help@ws.apache.org; run by ezmlm Precedence: bulk Reply-To: axis-dev@ws.apache.org list-help: list-unsubscribe: List-Post: Delivered-To: mailing list axis-dev@ws.apache.org Received: (qmail 48227 invoked by uid 99); 4 Apr 2005 10:51:02 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (hermes.apache.org: local policy) Received: from gort.hpl.hp.com (HELO gort.hpl.hp.com) (192.6.10.17) by apache.org (qpsmtpd/0.28) with ESMTP; Mon, 04 Apr 2005 03:51:02 -0700 Received: from timmay.hpl.hp.com (timmay-hb.hpl.hp.com [15.144.59.39]) by gort.hpl.hp.com (8.12.10/8.12.10) with ESMTP id j34AoXon007413 for ; Mon, 4 Apr 2005 11:50:33 +0100 (BST) Received: from [15.144.25.135] (chamonix.hpl.hp.com [15.144.25.135]) by timmay.hpl.hp.com (8.13.2/8.13.2) with ESMTP id j34AoSKl022664 for ; Mon, 4 Apr 2005 11:50:28 +0100 (BST) Message-ID: <42511BF4.1080309@apache.org> Date: Mon, 04 Apr 2005 11:50:28 +0100 From: Steve Loughran User-Agent: Mozilla Thunderbird 0.7 (X11/20040615) X-Accept-Language: en-us, en MIME-Version: 1.0 To: axis-dev@ws.apache.org Subject: Re: yank log4j jar from dist? References: <19e0530f05040315381d29bc8b@mail.gmail.com> In-Reply-To: <19e0530f05040315381d29bc8b@mail.gmail.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-HPLB-IMAP-MailScanner-Information: Please contact the Helpdesk for more information X-HPLB-IMAP-MailScanner: Found to be clean X-HPLB-IMAP-MailScanner-SpamCheck: not spam, SpamAssassin (score=0, required 5) X-HPL-MailScanner-Information: Please contact the Helpdesk for more information X-HPL-MailScanner: Found to be clean X-HPL-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.67, required 5, autolearn=not spam, ALL_TRUSTED -0.84, AWL 0.77, BAYES_00 -2.60) X-MailScanner-From: stevel@apache.org X-Virus-Checked: Checked X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Davanum Srinivas wrote: > Since we don't really need it? Should we yank it from dist? > see http://blogs.msdn.com/dotnetinterop/archive/2005/03/31/404087.aspx > > thanks, > dims > He had the complete set of problems, with endorsed directories, etc, etc. At least happyaxis.jsp identified the existence of trouble. Maybe we should extend it with log4j enhancements. I do agree there is a problem with JAR files and it is more fundamental than just what we include here. Expect lots of coverage of this in the second edition of Java Development with Ant :) -Java1.4's endorsed directories was a mistake. Java1.5 rolls things back a bit, by renaming the apache packages. -signing doesnt cut it. Once you sign jars the classloader starts to act different; you cant add new code into the same packages 'cept when they are signed too. Which is painful in OSS stuff. -The maven repository stuff is more interesting. If you have a central cache of files stored as /project/artifact-version.jar, then you can declarative switch versions. This is essentially .NET's GAC, without the strong names. You could use it with maven, ant, or something a bit like ant that only launches programs; an XML app launcher (tomcat uses ant for this, but I am doing the repository stuff in smartfrog for a managed launcher) I've argued a bit on the apache repository mail list (centre of discourse about repository stuff on apache) for using strong names in versions. So instead of log4j-1.2.jar, you'd also have, via the wonder of symlinks log4j-4f32acb4def.jar the advantage of this approach is (a) no confusion about versions, (b) explicit security in your downloads, when you go then the downloader can verify the checksum after download, as it has the checksum already. ------ returning to log4j, its less essential in java1.5 as it used to be. and pulling it stops the ant tasks telling you off for not having a non-default log4j config (that message really irritates me, I dont see why I should be told off by log4j there). So pulling it would be tractable. This person's problems go much deeper than log4j; they go into WAR vs EAR vs JBoss classloader policies. -steve