Il Lun 4 Mag 2026, 22:15 Lari Hotari <[email protected]> ha scritto:
> I'm just wondering if we could first decouple the code that uses Jetty from > zookeeper-server. > > I added this comment to ZOOKEEPER-5038: > ===== > Since the recurring blocker for upgrading Jetty is the Java baseline (Jetty > 12 requires Java 17, while ZooKeeper still supports Java 8/11), it would be > useful to decouple the HTTP admin server from zookeeper-server entirely. > > Concretely, the org.apache.zookeeper.server.admin package could be moved > out of the zookeeper-server module into a new, separate module — for > example zookeeper-server-http-admin. The rest of ZooKeeper would keep its > current Java 8/11 compatibility, and only this optional module would > require Java 17 (and pull in Jetty 12). > > To avoid a hard compile-time dependency from zookeeper-server on the new > module, the admin server could be loaded via reflection at runtime when it > is enabled in the configuration. That way users on older JDKs simply don't > enable the HTTP admin server, while users on Java 17+ get a fully > maintained Jetty. > > This would also let the Jetty upgrade proceed independently of the broader > Java baseline discussion. > ===== > > Would this make sense? > It does. Let's create a JIRA, we should make this change before cutting the next release Enrico > -Lari > > On Mon, 4 May 2026 at 22:50, Andor Molnár <[email protected]> wrote: > > > Absolutely. That’s actually my original intention for the JDK 17 upgrade. > > We should definitely upgrade to Jetty 12 once the JDK upgraded landed. > > > > Thanks for the heads-up. > > > > Andor > > > > > > > > > On May 4, 2026, at 05:39, Lari Hotari <[email protected]> wrote: > > > > > > Hi all, > > > > > > I'd like to raise a point related to the discussion about ZooKeeper's > > > minimum supported Java version. > > > > > > Jetty 9.x is end-of-life and no longer receives OSS security updates. > > There > > > are unaddressed CVEs that affect the 9.4.x line: > > > > > > - CVE-2026-2332 (High) – HTTP request smuggling via chunked extension > > > parsing; affects Jetty <= 9.4.59. Fixed in 9.4.60. > > > - CVE-2025-11143 (Low) – differential URI parsing that can lead to > > security > > > bypass; affects Jetty <= 9.4.58. Fixed in 9.4.59. > > > > > > The catch is that 9.4.59 and 9.4.60 are only available to customers > > paying > > > for commercial support (e.g. Webtide/HeroDevs NES). OSS projects can no > > > longer obtain security fixes for Jetty 9.x through Maven Central. > > > > > > The supported community line is Jetty 12.x, which requires Java 17 as > the > > > baseline. > > > > > > In Apache Pulsar, we've had to carry a fairly invasive workaround to > > > upgrade to Jetty 12.x while still depending on ZooKeeper: we patch / > > shadow > > > the relevant Pulsar-side integration classes (the equivalents of > > > org.apache.zookeeper.server.admin and > > > org.apache.zookeeper.metrics.prometheus) so Pulsar can run on Jetty > 12.x > > > even though ZooKeeper still pulls in Jetty 9.x. We'd very much like to > > drop > > > this hack, but that requires ZooKeeper itself to move off Jetty 9.x. > > > > > > Given that Jetty 12.x requires Java 17, raising ZooKeeper's Java > baseline > > > to 17 would unblock the Jetty upgrade and close the CVE exposure for > > > downstream OSS users at the same time. Would the project consider tying > > the > > > Java 17 baseline discussion to a Jetty 12 migration on the same release > > > line? > > > > > > Happy to help with the migration work if there's interest. > > > > > > -Lari > > > > > > On Thu, 30 Apr 2026 at 02:14, Andor Molnár <[email protected]> wrote: > > > > > >> I’m trying to extract the relevant information from the thread for > you. > > >> Previously I wrote something like: > > >> > > >> “… we could make a leap and make JDK 17 the minimum runtime and > compile > > >> versions for the master branch. > > >> > > >> Once the change is merged to master, we'll backport it to branch-3.9 > as > > >> follows: > > >> > > >> * minimum JDK for building: 17 > > >> * minimum JRE for running: 8 (no change) “ > > >> > > >> As far as I know, that’s what we agreed on, but unfortunately, no one > > has > > >> been willing to create a PR for it since then. Are you happy to work > on > > it? > > >> > > >> Andor > > >> > > >> > > >> > > >>> On Apr 29, 2026, at 13:12, Andor Molnár <[email protected]> wrote: > > >>> > > >>> Hi David, > > >>> > > >>> Thank you, your efforts are much appreciated. > > >>> > > >>> Yes. At the moment we still support Java 8 on all active branches. > > >>> There’s only one exception: Owasp build process requires Java 11 to > > run. > > >>> > > >>> There was a bunch of discussions [1] and [2] recently regarding how > > >> should we > > >>> upgrade and which JDK versions should we support on our branches. You > > >> might > > >>> want to review them before going forward. > > >>> > > >>> [1] https://lists.apache.org/thread/42537mr70g3n8srzxg406xlssbcsqr7w > > >>> [2] https://lists.apache.org/thread/ng8gq261ts5znzt6wb3zgjwqpsoqfftv > > >>> > > >>> Regards, > > >>> Andor > > >>> > > >>> > > >>> > > >>> > > >>>> On Apr 29, 2026, at 07:57, Dávid Paksy <[email protected]> wrote: > > >>>> > > >>>> Hi ZooKeeper devs, > > >>>> > > >>>> I started to work on JDK25 support in ZooKeeper. The compilation > works > > >> fine > > >>>> but for the tests to work I created ZOOKEEPER-5039 to upgrade > Mockito > > to > > >>>> 5.23.0. > > >>>> > > >>>> I put up #2376 PR and I saw, the GH: Action builds at the moment are > > >> done > > >>>> using Java 8 and Java 11. > > >>>> > > >>>> Mockito 5.x requires Java 11 or higher. It will not work with Java > 8. > > >>>> Mockito 4.x supported Java 8 but Mockito 4.x does not support Java > 25. > > >>>> > > >>>> Do we have to support Java 8 on ZooKeeper master branch? I did not > > found > > >>>> any documentation regarding this. > > >>>> > > >>>> Thanks in advance, > > >>>> Dávid > > >>> > > >> > > >> > > > > >
