From announce at qos.ch Tue Mar 14 16:23:07 2023 From: announce at qos.ch (QOS.ch annoucements) Date: Tue, 14 Mar 2023 16:23:07 +0100 Subject: [qos.ch-announce] Recent server failure at QOS.CH Sarl Message-ID: Hello All, You may have noticed that our jira server and mailing lists have been down during 10th through 12th of March. A system update of one of our servers went horribly wrong. We are currently recreating that server from backups. Full service has been restored. Unfortunately, a dozen jira issues were lost in the incident and are being recreated by hand. If you have subscribed to our Jira server or our mailing lists since the beginning of 2023, we kindly ask you to subscribe a second time. We present our apologies for the trouble. If you are wondering, there was no data breach. More importantly, our software repositories were not affected in any way. You can receive SLF4J/logback/reload4j related announcements by subscribing QOS.ch announce list, please visit the following URL. http://www.qos.ch/mailman/listinfo/announce Best regards, -- Ceki Gülcü Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch From announce at qos.ch Wed Mar 15 15:39:23 2023 From: announce at qos.ch (QOS.ch annoucements) Date: Wed, 15 Mar 2023 15:39:23 +0100 Subject: [qos.ch-announce] Release of logback versions 1.3.6 and 1.4.6 Message-ID: Hello all, I am happy to announce the simultaneous release of logback versions 1.3.6 and 1.4.6. Both versions require slf4j-api version 2.0.x or later. These releases fix several outstanding bugs. For more details, please refer to the the news page: http://logback.qos.ch/news.html We thank LVM Insurances (https://www.lvm.de) for kindly championing these releases. Why two simultaneous releases? Given that downstream users are likely to depend on either Java EE (in the javax namespace) or on Jakarta EE (in the jakarta namespace) in their projects, it was deemed important for logback to support both EE alternatives. As such, logback 1.3.x supports Java EE whereas logback 1.4.x supports Jakarta EE, otherwise the two versions are feature identical. Both 1.3.x and 1.4.x series require the fluent-API introduced in SLF4J 2.0.x. The 1.3.x series requires Java 8 at runtime. If you wish to build logback from source, you will need Java 9. The 1.4.x series requires Java 11 at build time and at runtime. Groovy configuration: Support for Groovy configuration was dropped for security reasons but was recovered by Tucker Pelletier (virtualdogbert). See: https://github.com/virtualdogbert/logback-groovy-config Benchmarks: For benchmarking figures please see: http://logback.qos.ch/performance.html Reproducible builds: Recent logback releases are reproducible. This means that anyone checking out the code corresponding to the release version from github and building that local copy, will get obtain an identical binary to the binary found on Maven central. Note that due to issue MJAR-275 with the module-info.java produced in earlier java versions, reproducible builds require Java 19. Donations and sponsorship You can also support SLF4J/logback/reload4j projects via donations and sponsorship. We thank our current supporters and sponsors for their continued contributions and in particular Spotify R&D and Exoscale. Sponsorship link: https://github.com/sponsors/qos-ch Announcement mailing list: You can receive SLF4J/logback/reload4j related announcements by subscribing QOS.ch announce list, please visit the following URL. http://www.qos.ch/mailman/listinfo/announce Enjoy, -- Ceki Gülcü From announce at qos.ch Fri May 12 19:51:53 2023 From: announce at qos.ch (QOS.ch annoucements) Date: Fri, 12 May 2023 19:51:53 +0200 Subject: [qos.ch-announce] investment by the Sovereign Tech Fund Message-ID: Hello all, In addition to preexisting support from companies such as Google, Exolab and Spotify R&D, we are excited to announce a sustained and multi-year investment from the Sovereign Tech Fund (STF) for the maintenance and improvement of logback, SLF4J and reload4j projects [1]. In 2006, we founded the SLF4J and logback projects and continue to maintain them until this day. Cumulatively, the artifacts of these two projects are downloaded over 4 billion times per year. Given the sheer volume of users, maintaining the SLF4J and logback projects can be rather time consuming. In 2022, we started the reload4j project with the goal of fixing critical security issues in log4j 1.x. We wish to continue providing the most reliable, fast and flexible logging framework for Java developers and heartily thank the STF for choosing to invest in our projects. The Sovereign Tech Fund supports the development, improvement and maintenance of digital infrastructure. Their goal is to sustainably strengthen the open source ecosystem, with a focus on security, resilience, technological diversity, and the people behind the projects. As Cailean Osborne aptly put it [2]: “As one of the first governmental funds dedicated to OSS, the STF is spearheading a critical shift in how governments invest in the long-term viability of OSS and digital public goods." In our own experience, even the tiniest token of support counts. It goes without saying that a larger multi-year investment counts all the more. We would like to express our gratitude to the Sovereign Tech Fund for their support and for paving the way for this historical change. [1] https://tinyurl.com/stfLogback [2] https://tinyurl.com/stfCaileanOsborne -- Ceki Gülcü Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch From announce at qos.ch Tue Jun 13 16:28:33 2023 From: announce at qos.ch (QOS.ch annoucements) Date: Tue, 13 Jun 2023 16:28:33 +0200 Subject: [qos.ch-announce] Release of logback versions 1.3.8 and 1.4.8 Message-ID: Hello all, I am happy to announce the simultaneous release of logback versions 1.3.8 and 1.4.8. Both versions require slf4j-api version 2.0.x or later. In addition to fixing several outstanding bugs, these releases add JsonEncoder which outputs logging events in Newline delimited JSON (ndjson) format. For more details, please refer to the the news page: http://logback.qos.ch/news.html We thank the Sovereign Tech Fund for kindly championing these releases. https://sovereigntechfund.de/en/ Why two simultaneous releases? Given that downstream users are likely to depend on either Java EE (in the javax namespace) or on Jakarta EE (in the jakarta namespace) in their projects, it was deemed important for logback to support both EE alternatives. As such, logback 1.3.x supports Java EE whereas logback 1.4.x supports Jakarta EE, otherwise the two versions are feature identical. Both 1.3.x and 1.4.x series require the fluent-API introduced in SLF4J 2.0.x. The 1.3.x series requires Java 8 at runtime. If you wish to build logback from source, you will need Java 9. The 1.4.x series requires Java 11 at build time and at runtime. Groovy configuration: Support for Groovy configuration was dropped for security reasons but was recovered by Tucker Pelletier (virtualdogbert). See: https://github.com/virtualdogbert/logback-groovy-config Benchmarks: For benchmarking figures please see: http://logback.qos.ch/performance.html Reproducible builds: w Donations and sponsorship You can also support SLF4J/logback/reload4j projects via donations and sponsorship. We thank our current supporters and sponsors for their continued contributions and in particular The Sovereign Tech Fund, Spotify R&D and Exoscale. Sponsorship link: https://github.com/sponsors/qos-ch Announcement mailing list: You can receive SLF4J/logback/reload4j related announcements by subscribing QOS.ch announce list, please visit the following URL. http://www.qos.ch/mailman/listinfo/announce Enjoy, -- Ceki Gülcü From announce at qos.ch Fri Aug 4 22:48:05 2023 From: announce at qos.ch (QOS.ch annoucements) Date: Fri, 4 Aug 2023 22:48:05 +0200 Subject: [qos.ch-announce] Release of logback versions 1.3.9 and 1.4.9 Message-ID: Hello all, I am happy to announce the simultaneous release of logback versions 1.3.9 and 1.4.9. Both versions require slf4j-api version 2.0.x or later. This is the first logback release with GraalVM in mind. In addition to bug fixes, logback now ships with SerializedModelConfigurator which can load serialized model files for configuration. For more details, please refer to the the news page: http://logback.qos.ch/news.html We thank the Sovereign Tech Fund for kindly championing these releases. https://sovereigntechfund.de/en/ Why two simultaneous releases? Given that downstream users are likely to depend on either Java EE (in the javax namespace) or on Jakarta EE (in the jakarta namespace) in their projects, it was deemed important for logback to support both EE alternatives. As such, logback 1.3.x supports Java EE whereas logback 1.4.x supports Jakarta EE, otherwise the two versions are feature identical. Both 1.3.x and 1.4.x series require the fluent-API introduced in SLF4J 2.0.x. The 1.3.x series requires Java 8 at runtime. If you wish to build logback from source, you will need Java 9. The 1.4.x series requires Java 11 at build time and at runtime. Groovy configuration: Support for Groovy configuration was dropped for security reasons but was recovered by Tucker Pelletier (virtualdogbert). See: https://github.com/virtualdogbert/logback-groovy-config Benchmarks: For benchmarking figures please see: http://logback.qos.ch/performance.html Reproducible builds: Recent logback releases are reproducible. This means that anyone checking out the code corresponding to the release version from github and building that local copy, will get obtain an identical binary to the binary found on Maven central. Note that due to issue MJAR-275 with the module-info.java produced in earlier java versions, reproducible builds require Java 19. Donations and sponsorship You can also support SLF4J/logback/reload4j projects via donations and sponsorship. We thank our current supporters and sponsors for their continued contributions and in particular The Sovereign Tech Fund, Spotify R&D and Exoscale. Sponsorship link: https://github.com/sponsors/qos-ch Announcement mailing list: You can receive SLF4J/logback/reload4j related announcements by subscribing QOS.ch announce list, please visit the following URL. http://www.qos.ch/mailman/listinfo/announce Enjoy, -- Ceki Gülcü From announce at qos.ch Sun Sep 3 18:48:08 2023 From: announce at qos.ch (QOS.ch annoucements) Date: Sun, 3 Sep 2023 18:48:08 +0200 Subject: [qos.ch-announce] Release of SLF4J version 2.0.9 Message-ID: Hello All, I am very pleased to announce the release of SLF4J version 2.0.9. It is now possible to specify the provider class explicitly via the "slf4j.provider" system property, yielding full control of provider loading to the end-user. Moreover, the "slf4j.provider" system property bypasses the service loader mechanism for finding providers and may shorten SLF4J initialization. A "Bill of Materials" (BOM) file was added to the SLF4J project. This was a frequently requested feature. Garret Wilson's "Improving the Maven Bill of Materials (BOM) Pattern" document was instrumental in making this happen. Please refer to the the news page for more details on this release: http://www.slf4j.org/news.html The 2.0.x series introduces a backward-compatible fluent logging API. By backward-compatible, we mean that existing logging frameworks do not have to be changed in order for the user to benefit from the fluent logging API. However, existing frameworks *must* migrate to the ServiceLoader mechanism. The resulting internal changes are detailed in the FAQ page. http://www.slf4j.org/faq.html#changesInVersion200 The 2.0.x series builds upon the the 1.8.x series which was modularized per Java Platform Module System (JPMS/Jigsaw). The 2.0.x series requires Java 8. Binary compatibility: Mixing mixing different versions of slf4j-api.jar and SLF4J provider can cause problems. For example, if you are using slf4j-api-2.0.0.jar, then you should also use slf4j-simple-2.0.0.jar, using slf4j-simple-1.5.5.jar will not work. With the exception of the fluent API (new in SLF4J 2.0.x), from the client's perspective, all versions of slf4j-api, more specifically classes in the org.slf4j package, are backward compatible. Client code compiled with slf4j-api-N.jar will run perfectly fine with slf4j-api-M.jar for any N and M. You only need to ensure that the version of your provider matches that of the slf4j-api.jar. You do not have to worry about the version of slf4j-api.jar used to compile a given dependency in your project. You can always use *any* version of slf4j-api.jar, and as long as the version of slf4j-api.jar and its provider match, you should be fine. Donations and sponsorship You can also support SLF4J/logback/reload4j projects via donations and sponsorship. We thank our current supporters and sponsors for their continued contributions. Sponsorship link: https://github.com/sponsors/qos-ch Announcement mailing list: You can receive SLF4J/logback/reload4j related announcements by subscribing QOS.ch announce list, please visit the following URL. http://www.qos.ch/mailman/listinfo/announce Enjoy, -- Ceki Gülcü From announce at qos.ch Fri Dec 1 15:45:59 2023 From: announce at qos.ch (QOS.ch annoucements) Date: Fri, 1 Dec 2023 16:45:59 +0100 Subject: [qos.ch-announce] Release of logback versions 1.3.14 and 1.4.14 Message-ID: Hello all, I am happy to announce the simultaneous release of logback versions 1.3.14 and 1.4.14. Both versions require slf4j-api version 2.0.x or later. This version fixes potential vulnerability consisting of denial of service attack on a logback receiver by sending it poisoned data. This problem was reported by Yakov Shafranovich, Amazon Web Services. It has been reported under the reference CVE-2023-6378. For more details, please refer to the the news page: http://logback.qos.ch/news.html Why two simultaneous releases? Given that downstream users are likely to depend on either Java EE (in the javax namespace) or on Jakarta EE (in the jakarta namespace) in their projects, it was deemed important for logback to support both EE alternatives. As such, logback 1.3.x supports Java EE whereas logback 1.4.x supports Jakarta EE, otherwise the two versions are feature identical. Both 1.3.x and 1.4.x series require the fluent-API introduced in SLF4J 2.0.x. The 1.3.x series requires Java 8 at runtime. If you wish to build logback from source, you will need Java 9. The 1.4.x series requires Java 11 at build time and at runtime. Groovy configuration: Support for Groovy configuration was dropped for security reasons but was recovered by Tucker Pelletier (virtualdogbert). See: https://github.com/virtualdogbert/logback-groovy-config Benchmarks: For benchmarking figures please see: http://logback.qos.ch/performance.html Reproducible builds: Recent logback releases are reproducible. This means that anyone checking out the code corresponding to the release version from github and building that local copy, will get obtain an identical binary to the binary found on Maven central. Note that due to issue MJAR-275 with the module-info.java produced in earlier java versions, reproducible builds require Java 19. Donations and sponsorship You can also support SLF4J/logback/reload4j projects via donations and sponsorship. We thank our current supporters and sponsors for their continued contributions and in particular The Sovereign Tech Fund, Spotify R&D and Exoscale. Sponsorship link: https://github.com/sponsors/qos-ch Announcement mailing list: You can receive SLF4J/logback/reload4j related announcements by subscribing QOS.ch announce list, please visit the following URL. http://www.qos.ch/mailman/listinfo/announce Enjoy, -- Ceki Gülcü