Start cleaning up ancient log4j 1.x to make a security release.

* README.md: describe intent and situation
* LICENSE: update copyright year
* .gitignore: start a git ignore file
* INSTALL: note use of maven 3 / JDK 6 / toolchains.xml
* pom.xml: update some old metadata, use toolchain

Author: lsimons

.gitignore

@@ -0,0 +1,2 @@
+target/
+tests/output/

INSTALL

@@ -73,22 +73,30 @@ except test cases and classes from the "examples" and
 Building log4j
 ==============
 
-log4j (as of 1.2.15) is built with Maven 2.  To rebuild log4j,
-place Maven 2 on the PATH and execute "mvn package".  The resulting
-jar will be placed in the target subdirectory.
-
-If building with JDK 1.4, one dependency will need to be manually
-installed since its license does not allow it to be placed in the
-online maven repositories.  If not already installed, a build attempt will
-describe where to download and how to install the dependency.  To
-install the dependency:
-
-Download JMX 1.2.1 from http://java.sun.com/products/JavaManagement/download.html.
-
-$ jar xf jmx-1_2_1-ri.zip
-$ mvn install:install-file -DgroupId=com.sun.jmx -DartifactId=jmxri \
-          -Dversion=1.2.1 -Dpackaging=jar -Dfile=jmx-1_2_1-bin/lib/jmxri.jar
-
+log4j (as of 1.2.18) is built with Maven 3 and JDK 6.
+
+To configure your Maven installation to build with JDK 6, provide a
+~/.m2/toolchains.xml file defining an oracle jdk 1.6, for example:
+
+      <?xml version="1.0" encoding="UTF-8"?>
+      <toolchains>
+         <toolchain>
+            <type>jdk</type>
+            <provides>
+               <version>1.6</version>
+               <vendor>oracle</vendor>
+            </provides>
+            <configuration>
+               <jdkHome>/usr/lib/jvm/java-1.6.0-openjdk-amd64</jdkHome>
+               <!-- <jdkHome>C:\Program Files\Java\jdk1.6.0_45</jdkHome> -->
+            </configuration>
+         </toolchain>
+      </toolchains>
+
+Either Oracle JDK 6 or OpenJDK 6 is supported, but our pom expects vendor "oracle".
+
+To rebuild log4j, place Maven 3 on the PATH and execute "mvn package".
+The resulting jar will be placed in the target subdirectory.
 
 The build script will attempt to build NTEventLogAppender.dll if
 MinGW is available on the path.  If the unit tests are run on Windows

NOTICE

@@ -1,5 +1,5 @@
 Apache log4j
-Copyright 2010 The Apache Software Foundation
+Copyright 2010-2021 The Apache Software Foundation
 
 This product includes software developed at
 The Apache Software Foundation (http://www.apache.org/).

README.md

@@ -0,0 +1,19 @@
+# Work In Progress
+
+Not ready for use.
+
+# End Of Life
+
+On August 5, 2015 the Logging Services Project Management Committee announced that Log4j 1.x had reached end of life. For complete text of the announcement please see the [Apache Blog](https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces). Users of Log4j 1 are recommended to upgrade to [Apache Log4j 2](https://logging.apache.org/log4j/2.x/index.html).
+
+# Security release 1.2.18
+
+On December 10, 2021 the Logging Services Project Management Committee announced the release of Log4j 2.15 to fix a critical security vulnerability, followed by Log4j 2.16 on December 13 with further fixes for this vulnerability, with details on the [Log4j Security Page](https://logging.apache.org/log4j/2.x/security.html). All log4j users should follow this security advice.
+
+For remaining users of log4j 1.2 and older, the recommended upgrade path remains to migrate to [Apache Log4j 2](https://logging.apache.org/log4j/2.x/index.html). Log4j 1.2 does not suffer from the same security vulnerabilities in the same way, but users should still upgrade: Log4j 1.2 does have an older known vulnerability [CVE-2019-17571](https://www.cvedetails.com/cve/CVE-2019-17571/) and per the above end-of-life notice is UNMAINTAINED software since 2015. It is possible Log4j 1.2 has several unknown vulnerabilities.
+
+For users that cannot upgrade to Log4j 2.x, a somewhat-secured version of Log4j 1.2 is being made as Log4j 1.2.18. This is a new release of otherwise UNMAINTAINED software. While 1.2.18 will fix a critical security vulnerability and has some improvements to the library that should help with security, it remains End Of Life and users should make plans to upgrade to 2.x.
+
+## Changes in 1.2.18
+
+* ...

pom.xml

@@ -34,39 +34,28 @@ target platform and specify -Dntdll_target=msbuild on the mvn command line.
   <packaging>bundle</packaging>
   <name>Apache Log4j</name>
   <version>1.2.18-SNAPSHOT</version>
-  <description>Apache Log4j 1.2</description>
+  <description>Apache Log4j 1.2 (UNMAINTAINED)</description>
   <url>http://logging.apache.org/log4j/1.2/</url>
   <issueManagement>
-    <system>Bugzilla</system>
-    <url>https://issues.apache.org/bugzilla/describecomponents.cgi?product=Log4j</url>
+    <!-- not really, this is for 2.x, but Bugzilla for Log4j is also disabled -->
+    <system>Jira</system>
+    <url>https://issues.apache.org/jira/projects/LOG4J2</url>
   </issueManagement>
-  <ciManagement>
-    <system>Gump</system>
-    <url>http://vmgump.apache.org/gump/public/logging-log4j-12/logging-log4j-12/index.html</url>
-  </ciManagement>
   <inceptionYear>1999</inceptionYear>
   <mailingLists>
     <mailingList>
       <name>log4j-user</name>
       <subscribe>log4j-user-subscribe@logging.apache.org</subscribe>
       <unsubscribe>log4j-user-unsubscribe@logging.apache.org</unsubscribe>
       <post>log4j-user@logging.apache.org</post>
-      <archive>http://mail-archives.apache.org/mod_mbox/logging-log4j-user/</archive>
-      <otherArchives>
-        <otherArchive>http://marc.info/?l=log4j-user</otherArchive>
-        <otherArchive>http://dir.gmane.org/gmane.comp.jakarta.log4j.user</otherArchive>
-      </otherArchives>
+      <archive>https://lists.apache.org/list.html?log4j-user@logging.apache.org</archive>
     </mailingList>
     <mailingList>
       <name>log4j-dev</name>
-      <subscribe>log4j-dev-subscribe@logging.apache.org</subscribe>
-      <unsubscribe>log4j-dev-unsubscribe@logging.apache.org</unsubscribe>
-      <post>log4j-dev@logging.apache.org</post>
-      <archive>http://mail-archives.apache.org/mod_mbox/logging-log4j-dev/</archive>
-      <otherArchives>
-        <otherArchive>http://marc.info/?l=log4j-dev</otherArchive>
-        <otherArchive>http://dir.gmane.org/gmane.comp.jakarta.log4j.devel</otherArchive>
-      </otherArchives>
+      <subscribe>dev-subscribe@logging.apache.org</subscribe>
+      <unsubscribe>dev-unsubscribe@logging.apache.org</unsubscribe>
+      <post>dev@logging.apache.org</post>
+      <archive>https://lists.apache.org/list.html?dev@logging.apache.org</archive>
     </mailingList>
   </mailingLists>
   <licenses>
@@ -77,16 +66,36 @@ target platform and specify -Dntdll_target=msbuild on the mvn command line.
     </license>
   </licenses>
   <scm>
-    <connection>scm:svn:http://svn.apache.org/repos/asf/logging/log4j/trunk</connection>
-    <developerConnection>scm:svn:https://svn.apache.org/repos/asf/logging/log4j/trunk</developerConnection>
-    <url>http://svn.apache.org/viewvc/logging/log4j/trunk</url>
+    <connection>scm:git:https://github.com/apache/log4j</connection>
+    <developerConnection>scm:svn:https://gitbox.apache.org/repos/asf/logging-log4j1.git</developerConnection><!-- todo -->
+    <url>https://gitbox.apache.org/repos/asf/logging-log4j2.git</url>
   </scm>
   <organization>
     <name>Apache Software Foundation</name>
     <url>http://www.apache.org</url>
   </organization>
   <build>
     <plugins>
+       <plugin>
+         <groupId>org.apache.maven.plugins</groupId>
+         <artifactId>maven-toolchains-plugin</artifactId>
+        <version>1.1</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>toolchain</goal>
+            </goals>
+          </execution>
+        </executions>
+        <configuration>
+          <toolchains>
+            <jdk>
+              <version>1.6</version>
+              <vendor>oracle</vendor>
+            </jdk>
+          </toolchains>
+        </configuration>
+      </plugin>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-resources-plugin</artifactId>
@@ -344,13 +353,16 @@ target platform and specify -Dntdll_target=msbuild on the mvn command line.
             <version>3.8.1</version>
             <scope>compile</scope>
           </dependency>
-          <dependency>
+          <!--
+            does not seem to be needed if not rebuilding .dll
+            
+            <dependency>
             <groupId>sun.jdk</groupId>
             <artifactId>tools</artifactId>
             <version>1.4.2</version>
             <scope>system</scope>
             <systemPath>${tools.jar}</systemPath>
-          </dependency>
+          </dependency>-->
         </dependencies>
       </plugin>
       <plugin>
@@ -593,4 +605,3 @@ target platform and specify -Dntdll_target=msbuild on the mvn command line.
     </site>
   </distributionManagement>
 </project>
-