General updates

git-svn-id: https://svn.apache.org/repos/asf/jakarta/commons/proper/logging/trunk@476777 13f79535-47bb-0310-9956-ffa450edef68

RELEASE-NOTES.txt

@@ -58,7 +58,9 @@ behaviour. In earlier releases, this method did not use an AccessController when
 obtaining the context classloader. In version 1.1 it did. In this release, it has
 reverted to not using an AccessController; any user-level code that needs to obtain a
 context classloader should itself create an AccessController, and call the
-LogFactory.getContextClassLoader method via the doPrivileged method.
+LogFactory.getContextClassLoader method via the doPrivileged method. This fixes a
+potential security issue, where untrusted code could get access to the context
+classloader if a signed JCL library was in the classpath.
 
 == Dependencies ==
 
@@ -85,12 +87,13 @@ File commons-logging-api-nn.jar provides minimal adapters to external logging
 libraries, just the internally implemented SimpleLog and NoOpLog classes
 plus Jdk14Logger (which is currently required by Apache Tomcat).
 
-This jar file may be used as a declared dependency for projects that care about
-"transitive dependencies" and can't handle jar files such as commons-logging-nn.jar
-which have "optional" dependencies depending on how they are used. In addition,
-this jar file can be useful for "rebundlers" of JCL who recompile the source-code
-but who may not be able to recompile against the full set of supported adapters;
-such projects should be able to at least recreate an equivalent of this jar file.
+The file commons-logging-api-nn.jar may be used as a declared dependency for
+projects that care about "transitive dependencies" and can't handle jar files
+such as commons-logging-nn.jar which have "optional" dependencies depending on
+how they are used. In addition, this jar file can be useful for "rebundlers" of
+JCL who recompile the source-code but who may not be able to recompile against
+the full set of supported adapters; such projects should be able to at least
+recreate an equivalent of this jar file.
 
 == General Notes ==
 
@@ -108,6 +111,9 @@ Software Foundation licensing rules. The terms and conditions are unaltered;
 this merely affects how those are presented in the source files. See
   http://www.apache.org/legal/src-headers.html
 
+This release can be built/tested with maven 2.0.4. Maven 1.x and Ant continue
+to be supported.
+
 == Bugs Fixed ==
 
 * LOGGING-106: JCL 1.1 was completely unusable under a security policy that prevented
@@ -121,6 +127,21 @@ this merely affects how those are presented in the source files. See
   sufficient as an AccessController was not used. This has been fixed by catching
   SecurityException and using an AccessController.
 
+* MEV-392 (http://jira.codehaus.org/browse/MEV-392)
+  As JCL didn't provide a Maven2 pom.xml file, one was helpfully created by people
+  not involved with the commons-logging project and published to the standard maven
+  repositories. Unfortunately this pom declared normal dependencies on all the logging
+  libraries that are supported by the core JCL distribution, meaning they all get pulled
+  into a project that declares a dependency on JCL1.1. This release now provides an
+  "official" pom.xml which declares these dependencies as optional so they aren't
+  automatically included in projects that depend on JCL 1.1.1.
+
+* (no bug#): Fix thread-safety bug (SimpleDateFormat.format is not thread-safe).
+  Thanks to Martin Wilson of bright-interactive for the bug report.
+
+* (no bug#): Security issue regarding access to context classloader (see incompatibilities
+  section above).
+
 DEPRECATIONS:
 ============