Ecosyste.ms sponsors
An open API service aggregating public data about GitHub Sponsors.
An open API service aggregating public data about GitHub Sponsors.
Funding Links: https://github.com/sponsors/qos-ch
The log4j software was donated to the Apache Software foundation by QOS.CH in the year 2000, over 20 years ago. We maintained the log4j 1.x framework from 2000 until 2006. In the meantime, we founded the Apache Logging top-level project and served as its first PMC chair.
In 2006, we founded the SLF4J and logback projects and continue to maintain them until this day. Cumulatively, the artifacts of these two projects are downloaded over 4 billion times per year. Given the sheer volume of users, maintaining the SLF4J and logback projects can be rather time consuming.
In 2022, we started the reload4j project with the goal of fixing critical security issues in log4j 1.x.
We wish to continue providing the most reliable, fast and flexible logging framework for Java developers. We thank our current sponsors who help us with our mission and welcome the support of new sponsors.
Prevalence of logging frameworks
Regarding the log4shell vulnerability, the prevalence of various java logging libraries puts things into perspective. Here are the relevant figures as found in mvnrepository site on 2021-12-17.
Project
Category
group:artifact
count
%
SLF4J
API
org.slf4j:slf4j-api
52,247
69%
Commons-logging
API
commons-logging:commons-logging
10,412
14%
SLF4J
API
org.slf4j:jcl-over-slf4j
7,546
10%
LOG4J2
API
org.apache.logging.log4j:log4j-api
5,226
7%
Total
API
-
75,431
100%
Project
Category
group:artifact
count
%
LOGBACK
implementation
ch.qos.logback:logback-classic
21,770
48%
LOG4J1
implementation
log4j:log4j
16,610
37%
LOG4J2
implementation
org.apache.logging.log4j:log4j-core
6,974
15%
Total
implementation
-
45,174
100%
Notwithstanding its 48% prevalence overall (in the implementation category), no attacks have been reported against logback that we are aware of.