Hi Jinwoo, Thanks to everyone for picking up the geode and moving forward!
I want to mention a few other major libraries that are left behind on EOL versions now: Jetty and Lucene (6 years old). Not sure if they are even needed and maybe those modules should be deprecated if there is no interest in maintaining them. On Fri, Sep 19, 2025 at 7:29 AM Jinwoo Hwang <[email protected]> wrote: > Dear Apache Geode Developer Community, > > Thank you for your continued support in delivering version 1.15.2. After a > three-year hiatus, this milestone reflects the resilience and collaboration > that define our community. Special appreciation to Niall for resolving the > SVN permission issue—the last mile to our finish line. > Now that we are almost at the finish line, let’s not slow down—let’s > accelerate. > > I would like to propose Apache Geode 2.0.0, a major modernization effort > that positions the project for long-term sustainability, stronger security, > and better developer experience. Below is a draft roadmap of proposed > upgrades—each representing a significant leap forward: > > > > *Proposed Upgrades for Apache Geode 2.0.0* > *Upgrade Java Runtime from 1.8 to 17* > > - Addresses numerous known vulnerabilities reported since 2019. > - Brings performance improvements and modern language features. > - Aligns with long-term support (LTS) standards. > > *Upgrade Spring Framework to Version 6* > > - Resolves numerous CVEs that have been reported in prior versions. > While we cannot confirm whether Apache Geode is directly affected, > upgrading is a proactive step toward minimizing exposure. > - Aligns with Java 17 and Jakarta EE 9. > - Introduces cleaner APIs and reactive programming support. > > *Upgrade Spring Security to Version 6* > > - Addresses several high-severity vulnerabilities. Again, while we > cannot confirm Geode’s exposure, upgrading ensures alignment with > current > security best practices. > - Simplifies configuration with SecurityFilterChain. > - Aligns with Jakarta EE 9 and modern security practices. > - Offers a zero-known-vulnerability baseline in current releases. > > *Migrate from Java EE to Jakarta EE 9* > > - Required for Java 17+ compatibility. > - Provides updated specifications and active community support. > > *Update Build Configuration for Java 17 Compatibility* > > - Upgrade Gradle Version 6 to 7.3.3 to Support Java 17 Tool Chain. > - Enables consistent builds across environments. > - Improves build performance and dependency resolution. > - Aligns with modern standards and mitigates known risks. > > *Remediation of any undisclosed security vulnerabilities* > > > These are not just technical upgrades—they are strategic investments in the > future of Apache Geode. They will help us stay relevant, secure, and > performant in a rapidly evolving ecosystem. > > To make this vision a reality, we need your help. This release is already > generating excitement—so much so that I’ve been personally contacted by > individuals asking how they can contribute to the Geode community. That > kind of energy is rare, and we’d be remiss not to harness it. > > We’re looking for: > > - Feedback to make this roadmap more comprehensive and aligned with > community needs. > - Volunteers to help review pull requests as we finalize these changes. > - Contributors interested in shaping the future of Apache Geode through > code, documentation, testing, and ideas. > > > Whether you’re a long-time committer or a new contributor, your > participation will be instrumental in making Apache Geode 2.0.0 a reality. > Let’s build the future of Geode, together—with clarity, purpose, and > momentum. > > Best regards, > Jinwoo Hwang (he/him/his) > > SAS® Research and Development > http://JinwooHwang.com >
