Choosing the right version of Apache Commons Logging

Question

I've got dependencies on several Apache TLPs (Top Level Projects) like Apache Axis, Commons HttpClient, Commons DBCP, Commons Transaction etc.

Each of these projects has a dependency on JCL (Commons Logging) and every project depends on a different version of JCL.

Which version of JCL should I be choosing - will the highest version be the best choice? Will higher versions of JCL be compatible with projects that were compiled against a lower version (some of the projects were compiled against a 1.0.x release of JCL, whereas others have been compiled against 1.1.x)? Does the JCL project itself convey this information somewhere?

Answer 1

The RELEASE-NOTES of version 1.1.1 say the following:

== Incompatibilities ==

The protected method LogFactory.getContextClassLoader has been reverted to pre-1.1
behaviour. In earlier releases, this method did not use an AccessController when
obtaining the context classloader. In version 1.1 it did. In this release, it has
reverted to not using an AccessController; any user-level code that needs to obtain
a context classloader should itself create an AccessController, and call the
LogFactory.getContextClassLoader method via the doPrivileged method. This fixes a
potential security issue, where untrusted code could get access to the context
classloader if a signed Commons Logging library was in the classpath.

That sounds very specific to me. I would try the newest version (1.1.1) and look if some problems occur.