I'm just wondering if we could first decouple the code that uses Jetty from zookeeper-server.
I added this comment to ZOOKEEPER-5038: ===== Since the recurring blocker for upgrading Jetty is the Java baseline (Jetty 12 requires Java 17, while ZooKeeper still supports Java 8/11), it would be useful to decouple the HTTP admin server from zookeeper-server entirely. Concretely, the org.apache.zookeeper.server.admin package could be moved out of the zookeeper-server module into a new, separate module — for example zookeeper-server-http-admin. The rest of ZooKeeper would keep its current Java 8/11 compatibility, and only this optional module would require Java 17 (and pull in Jetty 12). To avoid a hard compile-time dependency from zookeeper-server on the new module, the admin server could be loaded via reflection at runtime when it is enabled in the configuration. That way users on older JDKs simply don't enable the HTTP admin server, while users on Java 17+ get a fully maintained Jetty. This would also let the Jetty upgrade proceed independently of the broader Java baseline discussion. ===== Would this make sense? -Lari On Mon, 4 May 2026 at 22:50, Andor Molnár <[email protected]> wrote: > Absolutely. That’s actually my original intention for the JDK 17 upgrade. > We should definitely upgrade to Jetty 12 once the JDK upgraded landed. > > Thanks for the heads-up. > > Andor > > > > > On May 4, 2026, at 05:39, Lari Hotari <[email protected]> wrote: > > > > Hi all, > > > > I'd like to raise a point related to the discussion about ZooKeeper's > > minimum supported Java version. > > > > Jetty 9.x is end-of-life and no longer receives OSS security updates. > There > > are unaddressed CVEs that affect the 9.4.x line: > > > > - CVE-2026-2332 (High) – HTTP request smuggling via chunked extension > > parsing; affects Jetty <= 9.4.59. Fixed in 9.4.60. > > - CVE-2025-11143 (Low) – differential URI parsing that can lead to > security > > bypass; affects Jetty <= 9.4.58. Fixed in 9.4.59. > > > > The catch is that 9.4.59 and 9.4.60 are only available to customers > paying > > for commercial support (e.g. Webtide/HeroDevs NES). OSS projects can no > > longer obtain security fixes for Jetty 9.x through Maven Central. > > > > The supported community line is Jetty 12.x, which requires Java 17 as the > > baseline. > > > > In Apache Pulsar, we've had to carry a fairly invasive workaround to > > upgrade to Jetty 12.x while still depending on ZooKeeper: we patch / > shadow > > the relevant Pulsar-side integration classes (the equivalents of > > org.apache.zookeeper.server.admin and > > org.apache.zookeeper.metrics.prometheus) so Pulsar can run on Jetty 12.x > > even though ZooKeeper still pulls in Jetty 9.x. We'd very much like to > drop > > this hack, but that requires ZooKeeper itself to move off Jetty 9.x. > > > > Given that Jetty 12.x requires Java 17, raising ZooKeeper's Java baseline > > to 17 would unblock the Jetty upgrade and close the CVE exposure for > > downstream OSS users at the same time. Would the project consider tying > the > > Java 17 baseline discussion to a Jetty 12 migration on the same release > > line? > > > > Happy to help with the migration work if there's interest. > > > > -Lari > > > > On Thu, 30 Apr 2026 at 02:14, Andor Molnár <[email protected]> wrote: > > > >> I’m trying to extract the relevant information from the thread for you. > >> Previously I wrote something like: > >> > >> “… we could make a leap and make JDK 17 the minimum runtime and compile > >> versions for the master branch. > >> > >> Once the change is merged to master, we'll backport it to branch-3.9 as > >> follows: > >> > >> * minimum JDK for building: 17 > >> * minimum JRE for running: 8 (no change) “ > >> > >> As far as I know, that’s what we agreed on, but unfortunately, no one > has > >> been willing to create a PR for it since then. Are you happy to work on > it? > >> > >> Andor > >> > >> > >> > >>> On Apr 29, 2026, at 13:12, Andor Molnár <[email protected]> wrote: > >>> > >>> Hi David, > >>> > >>> Thank you, your efforts are much appreciated. > >>> > >>> Yes. At the moment we still support Java 8 on all active branches. > >>> There’s only one exception: Owasp build process requires Java 11 to > run. > >>> > >>> There was a bunch of discussions [1] and [2] recently regarding how > >> should we > >>> upgrade and which JDK versions should we support on our branches. You > >> might > >>> want to review them before going forward. > >>> > >>> [1] https://lists.apache.org/thread/42537mr70g3n8srzxg406xlssbcsqr7w > >>> [2] https://lists.apache.org/thread/ng8gq261ts5znzt6wb3zgjwqpsoqfftv > >>> > >>> Regards, > >>> Andor > >>> > >>> > >>> > >>> > >>>> On Apr 29, 2026, at 07:57, Dávid Paksy <[email protected]> wrote: > >>>> > >>>> Hi ZooKeeper devs, > >>>> > >>>> I started to work on JDK25 support in ZooKeeper. The compilation works > >> fine > >>>> but for the tests to work I created ZOOKEEPER-5039 to upgrade Mockito > to > >>>> 5.23.0. > >>>> > >>>> I put up #2376 PR and I saw, the GH: Action builds at the moment are > >> done > >>>> using Java 8 and Java 11. > >>>> > >>>> Mockito 5.x requires Java 11 or higher. It will not work with Java 8. > >>>> Mockito 4.x supported Java 8 but Mockito 4.x does not support Java 25. > >>>> > >>>> Do we have to support Java 8 on ZooKeeper master branch? I did not > found > >>>> any documentation regarding this. > >>>> > >>>> Thanks in advance, > >>>> Dávid > >>> > >> > >> > >
