+1 on dropping local Tika extraction in 9.11. While it breaks our back-compat promise, its benefit of keeping users secure clearly outweighs that.
On Thu, Dec 11, 2025 at 4:50 PM Tim Allison <[email protected]> wrote: > Please don't ship anything with Tika 1.x. > > Jan, your work on slotting in tika-server is amazing. Please go forth with > that, and consider 3.x at some point. :D > > On Thu, Dec 11, 2025 at 5:34 PM Jan Høydahl <[email protected]> wrote: > > > Hi, > > > > Tika 1.28 has been EOL since September 2022, and all its aging > > dependencies, which we still ship in Solr 9.x, keep producing CVEs almost > > weekly. > > As Solr 9.10 has gained TikaServer support, I propose that we simply > > declare "local" tika backend too old to ship and remove it in Solr 9.11. > > > > It will be a break from our normal back-compat promise. But I think it is > > warranted in this case. > > The alternative is to upgrade "local" Tika to 3.x, but that would be a > > back-compat break as well (metadata), with no clear benefit over > TikaServer. > > > > If this thread gains consensus I'll start a VOTE thread to formally > decide > > an exception. > > > > Jan > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > -- Anshum Gupta
