(Remko: Paraphrasing discussion on the log4j dev mailing list. Please feel free to update/modify):
When the Apache HttpClient 5.0 library gets pulled into an Android project, the Lint static code analyzer reports two severe violations due to transitive dependency through Log4j APIs 2.8 on Java RMI and Java Management APIs.
At the moment adding a transitive dependency on log4j2-api causes any Android build to fail with a scary invalid package error. Surely this error can be ignored with a custom lint rule but it may present a certain reason for concert to less experienced developers.
This is caused by Log4j's use of MarshalledObject: User domain objects and exceptions are wrapped in MarshalledObject when LogEvents are serialized. This allows applications like Lilith to deserialize LogEvents even when not all domain classes are on the classpath (
Consider finding a different way to solve this problem that does not require MarshalledObject.