Thanks for all your hard work on this @ceki, greatly appreciated. We all know that the JNDI/log4j issues have cause a lot of extra, unexpected work for many of us in an already hectic season of the year.

However, the removal of Groovy-support without any previous warning (as far as I can tell) in a security release like this is very unfortunate. We (like probably many other Logback users) have a large, complex configuration file written in Groovy at the moment. While it's probably possible to convert this to XML format, it does involve a significant amount of work. In the end, it may make people less likely to upgrade to Logback 1.2.9 (which defeats the purpose of this security update in the first place).

I would strongly urge that the removal of Groovy support would be reverted (and a 1.2.10 release being made), so we can all get the other security fixes applied ASAP.

I'm completely fine with removing Groovy support eventually, but please be aware that doing this kind of change in a patch-level release very strongly breaks the whole concept of Semantic Versioning. Being able to configure Logback using Groovy is definitely a part of the public API. In other words, this kind of change should go into a Logback version 2.0 or similar, if we are to follow the SemVer thinking on release versioning.

Again, please don't get me wrong in this - I really appreciate what you are doing (and have been doing through the years). I just think that we should be very careful to forcing these kind of "unexpected" changes onto our users with very little prior notice that it's going to happen.

Thanks & take care.