oss maintainer comp conversation is interesting because: paid maintainers wouldn't unexist the log4j bug, and it's self-evident that paying maintainers isn't necessary for it to be fixed.
Conversation
Replying to
Paying them would give them substantially more time and resources to implement a whole bunch more misguided features. The legacy log4j didn't have all that magical string interpolation. They added it in log4j2 including doing it for the parameters not just the main format string.
1
1
16
log4j2 was widely known as being an over-complicated and poorly designed mess long before people recently realized that some of these design flaws are serious security vulnerabilities. It would make very little sense to fund a library based on it being absolutely horrifying...
1
1
10
There were other libraries developed as successors to log4j. Can also simply use standard library java.util.logging with fancy features provided by an app and language agnostic logging service.
Do people really need this built into their app server? logging.apache.org/log4j/log4j-2.
