Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Remove dependency on rocketmq-slf4j-api #9127

Open
3 tasks done
ppkarwasz opened this issue Jan 13, 2025 · 0 comments
Open
3 tasks done

[Bug] Remove dependency on rocketmq-slf4j-api #9127

ppkarwasz opened this issue Jan 13, 2025 · 0 comments

Comments

@ppkarwasz
Copy link

Before Creating the Bug Report

  • I found a bug, not just asking a question, which should be created in GitHub Discussions.

  • I have searched the GitHub Issues and GitHub Discussions of this repository and believe that this is not a duplicate.

  • I have confirmed that this bug belongs to the current repository, not other repositories of RocketMQ.

Runtime platform environment

All

RocketMQ version

branch: develop

JDK Version

No response

Describe the Bug

Many RocketMQ artifacts depend on repackaged versions of SLF4J and Logback:

This is IMHO a very bad idea, since:

  • It introduces yet another logging API that users need to forward to their logging implementation.
  • Naïve implementations of bridges between logging APIs have a tendency to lose location information (class, method and line number). io.github.aliyunmq:rocketmq-slf4j-api-bridge is not an exception and loses location information.
  • Using those dependencies introduces an additional entity to the RocketMQ supply chain: the aliyun.mq project. I am aware of the fact the aliyun.mq is mostly composed by members of the RocketMQ PMC, but it is still an independent project and is not covered by the ASF rules and Apache Security Team. This will cause a problem with CRA and similar regulations.
  • The rocketmq-logback-classic artifact is basically subject to the same vulnerabilities as logback-classic, but I don't see any CVE being issued against that artifact (Logback published 7 CVEs in 2023 and 2024).

Steps to Reproduce

You can see the problem by searching the pom.xml files for the artifacts mentioned above.

What Did You Expect to See?

I would expect:

  • All the RocketMQ artifacts to depend on org.slf4j:slf4j-api or another established logging API. (Note that the openrewrite/rewrite-logging-frameworks project contains rules to rewrite SLF4J to any other logging API, so the choice of logging API is not really binding).
  • Additionally the rocketmq-distribution artifact should have a runtime dependency on ch.qos.logback:logback-classic.
  • No other RocketMQ artifact should have a runtime dependency on Logback (see rocketmq-tools should not depend on logback-classic #5347). If Logback is used by the tests, it should be in the test scope.

What Did You See Instead?

All RocketMQ artifacts depend on the custom io.github.aliyunmq:rocketmq-slf4j-api logging API. Some of them depend on io.github.aliyunmq:rocketmq-logback-classic or io.github.aliyunmq:rocketmq-slf4j-api-bridge.

Additional Context

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ppkarwasz