Apache Logging Services

You can use one of the following channels to download the Logging Services release distributions.

Important

All Logging Services projects distribute convenience binaries that are easy to install for the programming language platform they target. You are strongly advised to check the installation instructions in the website of the project (Log4cxx, Log4j, Log4net, etc.) you are trying to install.

Official distribution channels

In accordance with the Apache Software Foundation’s release distribution policy and creation process, all Logging Services release distributions are officially accessible from the following channels:

ASF Distribution directory (contains the most recent releases)
ASF Distribution directory archive (contains all published releases)

Java distribution channels

ASF Release and snapshot Nexus repositories (mirrored to the Maven Central Repository)

.NET distribution channels

Apache.Logging organization in NuGet

Verification

All Logging Services release distributions are digitally signed by the release manager and provided with checksum files. You can verify a distribution by following the below shared instructions:

# Download and import the release manager public keys
wget -O - https://downloads.apache.org/logging/KEYS | gpg --import

# Verify signatures
for sigFile in *.asc; do gpg --verify $sigFile; done

# Verify checksums
shasum --check *.sha512

Software Bill of Materials (SBOM)

Many Logging Services projects distribute CycloneDX Software Bill of Materials (SBOM) along with each deployed artifact. This is streamlined by Logging Parent for Maven-based projects.

Produced SBOMs contain BOM-links referring to a CycloneDX Vulnerability Disclosure Report (VDR) that Apache Logging Services uses for all projects it maintains. This VDR is accessible through the following URL: https://logging.apache.org/cyclonedx/vdr.xml