我依赖于几个 Apache TLP(顶级项目),如 Apache Axis、Commons HttpClient、Commons DBCP、Commons Transaction 等。
这些项目中的每一个都依赖于 JCL(Commons Logging),并且每个项目都依赖于不同版本的 JCL。
我应该选择哪个版本的 JCL - 最高版本是最佳选择吗?较高版本的 JCL 是否与针对较低版本编译的项目兼容(一些项目针对 JCL 的 1.0.x 版本编译,而其他项目针对 1.1.x 编译)?JCL 项目本身是否在某处传达了这些信息?
1.1.1 版的RELEASE-NOTES 说明如下:
== Incompatibilities ==
The protected method LogFactory.getContextClassLoader has been reverted to pre-1.1
behaviour. In earlier releases, this method did not use an AccessController when
obtaining the context classloader. In version 1.1 it did. In this release, it has
reverted to not using an AccessController; any user-level code that needs to obtain
a context classloader should itself create an AccessController, and call the
LogFactory.getContextClassLoader method via the doPrivileged method. This fixes a
potential security issue, where untrusted code could get access to the context
classloader if a signed Commons Logging library was in the classpath.
这对我来说听起来很具体。我会尝试最新版本(1.1.1),看看是否出现了一些问题。