GKL should ideally use commons-logging or similar instead of log4j

Question

GKL should ideally use commons-logging or similar instead of log4j

Closed this issue a year ago · 2 comments

The recent log4j exploit has led me to checking various projects and realizing that many Java/JVM based projects include log4j solely due to having GKL at a dependency. I would argue that it is not good practise to have library code like the GKL bind directly to a logging framework like log4j, but instead to have it use commons-logging or something similar, that allows tools and applications that use the library to redirect logging information into the logging toolkit of their choice.

Answer 1 · 2021-12-16T04:52:48.000Z

Intel is continuing to evaluate the impact of the Apache Log4j2 security vulnerabilities (CVE-2021-44228 & CVE-2021-45046) on our product portfolio. Please see INTEL-SA-00646 for the most up to date information. We will continue to update this Security Advisory as new information becomes available.

Answer 2 · 2023-06-20T13:07:56.000Z

As of version 0.8.10 GKL uses commons-logging instead of log4j.