Well, from my
point of view the usage of reload4j is the only backwards
compatible solution. Unfortunately not for every case,
e.g. too strict version ranges. The solution forward is of
course the usage of a log wrapper to decouple development
Anyhow I don't know
how to add a bundle jar signed and unchanged to Orbit. I
am only aware of the re-bundling via EBR. Doing that will
cause a change in the jar structure that causes for
example logpresso to identify a CVE, although it is fixed.
Which is actually only an issue in the detection. But that
was one of the reasons why I contacted the reload4j
project to change the base to avoid the re-bundling.
Anyone who knows
how to only sign and publish to Orbit without
Though I'm not sure if they would consider the
problem being fixed in 1.2.19 a fact and even if its a
fact if it would be a fact that matters...
On 08.02.2022 15:48, Dirk Fauth via
I got in contact with the reload4j
team. They changed the Bundle-SymbolicName to
org.apache.log4j and fixed several OSGi meta data
related issues in the meanwhile. Today they
published 1.2.19 which should work as a drop-in
replacement in Eclipse based applications where
Require-Bundle was used. My local tests worked so
That said, re-bundling for Orbit
should not be necessary as reload4j could directly
be consumed via Maven Central.