@Ceki Gülcü This is a comment I saw. I think what he said is very reasonable. Logback may consider this improvement idea.

The log4j core template should not include many infrequently used functions, such as JNDI and JDBC. This is not the best choice. Most users use a log library, which usually has two requirements: 1. Write to the local file . 2. Write to the console. The core module can retain these two functions. If this is done, there will be no JNDI vulnerability.