logging-log4net-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dominik Psenner (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (LOG4NET-397) Conflicts due to new strong name key
Date Wed, 09 Oct 2013 07:54:43 GMT

    [ https://issues.apache.org/jira/browse/LOG4NET-397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13790138#comment-13790138
] 

Dominik Psenner edited comment on LOG4NET-397 at 10/9/13 7:54 AM:
------------------------------------------------------------------

{quote}IMHO your FAQ should provide more detailed information on the risk of conflicts with
3rd party components{quote}

You run into this problem with every DLL on the world and it's something people should know
when they develop applications. IMHO people should read more books, but it is also written
down in the [FAQ|http://logging.apache.org/log4net/release/faq.html#two-snks].

{quote}My view is that most people just want the latest stable log4net package and are not
interested in the ability to customize log4net{quote}

FWIW, the NuGet package maintainer decided that he distributes the new key assembly.

{quote}whatever the recommendation, it should be clearly stated in a FAQ{quote}

Now I'm quoting [http://logging.apache.org/log4net/download_log4net.cgi]

{quote}See the [FAQ|http://logging.apache.org/log4net/release/faq.html#two-snks] for background.
We recommend you use the assemblies signed with the "new" key whenever possible.{quote}

If you feel that the information there is not enough, feel free to file an issue in JIRA.

{quote}Also I believe you should liaise with the owners of the NuGet package{quote}

We have contacted him/her and he pushed the NuGet packaging source into GitHub. My impression
is that he/she is not interested in extending his duties and I can understand that since I
am doing this in my spare time too.

{quote}whether NuGet should offer the new key, the old key or both. At the moment, the NuGet
package only includes the new key for 1.2.11+, which pushes people to using this version without
considering the implications.{quote}

The NuGet packaging is on GitHub. You can fix it and file a pull request.


was (Author: nachbarslumpi):
{quote}IMHO your FAQ should provide more detailed information on the risk of conflicts with
3rd party components{quote}

You run into this problem with every DLL on the world and it's something people should know
when they develop applications. IMHO people should read more books, but it is also written
down in the [FAQ|http://logging.apache.org/log4net/release/faq.html#two-snks].

{quote}My view is that most people just want the latest stable log4net package and are not
interested in the ability to customize log4net{quote}

FWIW, the NuGet package maintainer decided that he distributes the new key assembly.

{quote}whatever the recommendation, it should be clearly stated in a FAQ{quote}

Now I'm quoting [http://logging.apache.org/log4net/download_log4net.cgi]

{quote}See the [FAQ|http://logging.apache.org/log4net/release/faq.html#two-snks] for background.
We recommend you use the assemblies signed with the "new" key whenever possible.{quote}

If you feel that the information there is not enough, feel free to file an issue in JIRA.

{quote}Also I believe you should liaise with the owners of the NuGet package{quote}

We have contacted him/her and he pushed the NuGet packaging source into GitHub. My impression
is that he/she is not interested in extending his duties and I can understand that since I
am doing this in my spare time too.

> Conflicts due to new strong name key
> ------------------------------------
>
>                 Key: LOG4NET-397
>                 URL: https://issues.apache.org/jira/browse/LOG4NET-397
>             Project: Log4net
>          Issue Type: Bug
>            Reporter: Joe
>
> Consider an application that uses two third-party assemblies:
> - AssemblyA from Supplier A, compiled with log4net 1.2.10 (old strong-name key)
> - AssemblyB from Supplier B, compiled with log4net 1.2.11 (new strong-name key)
> How can I make these two assemblies co-exist and use the same version of log4net?
> Maybe I'm missing something obvious, but I can't see any way to do this: for example
I obviously can't have both log4net assemblies in the same bin folder, as they have the same
name.
> I'm obviously not the only one who thinks there's a problem, e.g. issue LOG4NET-324 refers
to "... the strong name horror too".  The comment on this issue:
> "... But if you need the old "strong name", you can simply use the "oldkey" binaries.
I can't see how this is a horror, but of course I'm biased."
> doesn't seem to address the problem of conflicts.
> Also there are no guidelines for component suppliers as to which version to use, which
increases the risk of conflicts.  In the absence of explicit guidelines, I guess legacy components
will have the old key, whereas new ones will tend to use the new key, since that is the only
version available via NuGet.
> The only solution I can see is the following:
> - The "new key" assembly needs to have a different name from the "old key" assembly (e.g.
log4net-2.dll).
> - Use Type forwarding to enable both versions to co-exist.  E.g. you could supply a special
log4net.dll signed with the old key that uses type forwarding to forward to log4net-2.dll
signed with the new key.  Or vice-versa.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message