Log4J and DSpace 6.x
110 views
Skip to first unread message
Sarah Mount
Jan 5, 2022, 1:42:34 PM1/5/22
to DSpace Technical Support
Hello all,
Thanks,
I'm aware that DSpace 6.x is not going to get a patch that would allow end-users to upgrade to Log4Jv2, but I was wondering whether anyone else is likely to be working on this?
Thanks,
Sarah
hb wooley
Jan 7, 2022, 11:51:46 AM1/7/22
to DSpace Technical Support
I was looking for a solution to this issue not only for DSpace 6.x, but another application I use "GeoServer". See this "https://www.geosolutionsgroup.com/blog/geosolutions-lo4shell/" for their solution "log4j-1.2.17-norce.jar" for Log4J and their explanation of the differences between Log4J and Log4J2. I replaced (in place without a rebuild) the Log4J 1.2.17 library on a test server, restarted tomcat and it appeared to work for the small tests I completed. I hope this may help some others.
***Note - I'm NOT affiliated with this organization and use at your own RISK.
BW
Tim Donohue
Jan 10, 2022, 11:28:12 AM1/10/22
to DSpace Technical Support
Hi Sarah,
Just wanted to note that I'm not aware of anyone who has tried updating DSpace 6.x (or any prior release) to log4j v2. As I initially noted in this log4j summary email (https://groups.google.com/g/dspace-tech/c/QR59bS4nIT0/m/Ze2hyOhhAgAJ), I believe this upgrade would be extremely complex (and I'm not even sure if it's possible).
This is why I recommend that anyone who wants to be on log4j v2 please consider upgrading to DSpace 7.x in the near future (version 7.2 is right around the corner & due on Feb 7). It is not always easy (or even possible) to update dependencies in the DSpace 6.x/5.x platforms, as we are sometimes blocked / or hampered by the age of the User Interface technologies (especially Apache Cocoon for XMLUI) and other core dependencies (older Solr, Spring technologies, etc.)
Just wanted to note that I'm not aware of anyone who has tried updating DSpace 6.x (or any prior release) to log4j v2. As I initially noted in this log4j summary email (https://groups.google.com/g/dspace-tech/c/QR59bS4nIT0/m/Ze2hyOhhAgAJ), I believe this upgrade would be extremely complex (and I'm not even sure if it's possible).
Unfortunately, most of the other dependencies which DSpace 6.x (and 5.x/4.x or any prior release) use all also rely on log4j v1 (especially Solr) . Attempting to upgrade DSpace 6.x to log4j v2 therefore may also require finding ways to upgrade or patch all other dependencies which also rely on log4j v1....and that likely would be a massive undertaking (possibly similar effort to a new major release of DSpace).
This is why I recommend that anyone who wants to be on log4j v2 please consider upgrading to DSpace 7.x in the near future (version 7.2 is right around the corner & due on Feb 7). It is not always easy (or even possible) to update dependencies in the DSpace 6.x/5.x platforms, as we are sometimes blocked / or hampered by the age of the User Interface technologies (especially Apache Cocoon for XMLUI) and other core dependencies (older Solr, Spring technologies, etc.)
If you or anyone else has further questions on this, let us know on this list,
Tim
On Wednesday, January 5, 2022 at 12:42:34 PM UTC-6 mount...@gmail.com wrote:
Sarah Mount
Jan 11, 2022, 5:25:27 AM1/11/22
to Tim Donohue, DSpace Technical Support
Hi Tim,
Many thanks for this. For reasons that I won't go into here, it looks like trying to patch 6.4 is something that we need to try. It may be that the v1->v2 bridge that's been mentioned will be a better option for us, but we're looking at both choices right now.
Currently, I have a version of 6.4 that does not directly use log4j v1, but it does still have a handful (<20) of transitive imports of v1 from slf4 and Solr. The patched 6.4 can compile all the front-ends and pass the unit/integration tests, and I can run DSpace locally in a container -- but I haven't tackled converting the configuration files in earnest yet, and I've noticed that the PR for v7 uses XML for some configuration files.
My local PR for this is already approx. 1kloc larger than the PR to upgrade log4j in DSpace v7, and no doubt it'll get larger still before we take a decision to either merge or abandon it.
Sarah
--
All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/f81811b6-886c-4947-8234-636a6dba8493n%40googlegroups.com.
Dr. Sarah Mount
Technical Lead, Beautiful Canoe
Fellow of the Software Sustainability Institute
twitter: @snim2
Fellow of the Software Sustainability Institute
twitter: @snim2
Tim Donohue
Jan 11, 2022, 10:05:45 AM1/11/22
to DSpace Technical Support
Hi Sarah,
Good to know you are working on something. If you *do* manage to find a way to upgrade DSpace 6.4 to use log4j v2, please send us a PR. We'd be open to making this fix for everyone in a new 6.x release. However, as previously implied, I'm not aware of anyone who has managed to get this to work properly yet....doesn't mean it's impossible, just that it's not an easy fix to make (as it sounds like you've discovered).
If others are also interested in collaborating with you (and it sounds like they might be), you are also welcome to create a *draft* PR in our https://github.com/DSpace/DSpace (dspace-6_x branch) and invite others to collaborate on it with you. We obviously won't merge anything into the core code until it's proven to work (i.e. fully tested/reviewed), but we welcome anyone to create draft PRs if they are looking for collaborators / early feedback, etc.
Good to know you are working on something. If you *do* manage to find a way to upgrade DSpace 6.4 to use log4j v2, please send us a PR. We'd be open to making this fix for everyone in a new 6.x release. However, as previously implied, I'm not aware of anyone who has managed to get this to work properly yet....doesn't mean it's impossible, just that it's not an easy fix to make (as it sounds like you've discovered).
If others are also interested in collaborating with you (and it sounds like they might be), you are also welcome to create a *draft* PR in our https://github.com/DSpace/DSpace (dspace-6_x branch) and invite others to collaborate on it with you. We obviously won't merge anything into the core code until it's proven to work (i.e. fully tested/reviewed), but we welcome anyone to create draft PRs if they are looking for collaborators / early feedback, etc.
Good luck & please do let us know how it goes!
Tim
Sarah Mount
Aug 18, 2022, 5:01:52 PM8/18/22
to DSpace Technical Support
Just a quick follow up to this. I'm leaving my current role tomorrow, but in case anyone comes across this thread, this approach did actually work, although it was certainly not an easy job at all.
Regards,
Sarah
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/f7ad728a-14a3-4e3e-9647-cdb7d64cc277n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages