Hi All, Thanks everyone for your responses!
I now raised the #2376 PR for the JDK17 / JDK25 support on master. If you can please have a look and provide feedback. Many thanks in advance, Dávid Andor Molnár <[email protected]> ezt írta (időpont: 2026. máj. 5., K, 17:41): > This should be that: > > https://issues.apache.org/jira/browse/ZOOKEEPER-5038 > > > > > > On May 5, 2026, at 04:09, Enrico Olivelli <[email protected]> wrote: > > > > Il Lun 4 Mag 2026, 22:15 Lari Hotari <[email protected]> ha scritto: > > > >> I'm just wondering if we could first decouple the code that uses Jetty > from > >> zookeeper-server. > >> > >> I added this comment to ZOOKEEPER-5038: > >> ===== > >> Since the recurring blocker for upgrading Jetty is the Java baseline > (Jetty > >> 12 requires Java 17, while ZooKeeper still supports Java 8/11), it > would be > >> useful to decouple the HTTP admin server from zookeeper-server entirely. > >> > >> Concretely, the org.apache.zookeeper.server.admin package could be moved > >> out of the zookeeper-server module into a new, separate module — for > >> example zookeeper-server-http-admin. The rest of ZooKeeper would keep > its > >> current Java 8/11 compatibility, and only this optional module would > >> require Java 17 (and pull in Jetty 12). > >> > >> To avoid a hard compile-time dependency from zookeeper-server on the new > >> module, the admin server could be loaded via reflection at runtime when > it > >> is enabled in the configuration. That way users on older JDKs simply > don't > >> enable the HTTP admin server, while users on Java 17+ get a fully > >> maintained Jetty. > >> > >> This would also let the Jetty upgrade proceed independently of the > broader > >> Java baseline discussion. > >> ===== > >> > >> Would this make sense? > >> > > > > It does. > > > > Let's create a JIRA, we should make this change before cutting the next > > release > > > > > > Enrico > > > > > > > > > >> -Lari > >> > >> On Mon, 4 May 2026 at 22:50, Andor Molnár <[email protected]> wrote: > >> > >>> Absolutely. That’s actually my original intention for the JDK 17 > upgrade. > >>> We should definitely upgrade to Jetty 12 once the JDK upgraded landed. > >>> > >>> Thanks for the heads-up. > >>> > >>> Andor > >>> > >>> > >>> > >>>> On May 4, 2026, at 05:39, Lari Hotari <[email protected]> wrote: > >>>> > >>>> Hi all, > >>>> > >>>> I'd like to raise a point related to the discussion about ZooKeeper's > >>>> minimum supported Java version. > >>>> > >>>> Jetty 9.x is end-of-life and no longer receives OSS security updates. > >>> There > >>>> are unaddressed CVEs that affect the 9.4.x line: > >>>> > >>>> - CVE-2026-2332 (High) – HTTP request smuggling via chunked extension > >>>> parsing; affects Jetty <= 9.4.59. Fixed in 9.4.60. > >>>> - CVE-2025-11143 (Low) – differential URI parsing that can lead to > >>> security > >>>> bypass; affects Jetty <= 9.4.58. Fixed in 9.4.59. > >>>> > >>>> The catch is that 9.4.59 and 9.4.60 are only available to customers > >>> paying > >>>> for commercial support (e.g. Webtide/HeroDevs NES). OSS projects can > no > >>>> longer obtain security fixes for Jetty 9.x through Maven Central. > >>>> > >>>> The supported community line is Jetty 12.x, which requires Java 17 as > >> the > >>>> baseline. > >>>> > >>>> In Apache Pulsar, we've had to carry a fairly invasive workaround to > >>>> upgrade to Jetty 12.x while still depending on ZooKeeper: we patch / > >>> shadow > >>>> the relevant Pulsar-side integration classes (the equivalents of > >>>> org.apache.zookeeper.server.admin and > >>>> org.apache.zookeeper.metrics.prometheus) so Pulsar can run on Jetty > >> 12.x > >>>> even though ZooKeeper still pulls in Jetty 9.x. We'd very much like to > >>> drop > >>>> this hack, but that requires ZooKeeper itself to move off Jetty 9.x. > >>>> > >>>> Given that Jetty 12.x requires Java 17, raising ZooKeeper's Java > >> baseline > >>>> to 17 would unblock the Jetty upgrade and close the CVE exposure for > >>>> downstream OSS users at the same time. Would the project consider > tying > >>> the > >>>> Java 17 baseline discussion to a Jetty 12 migration on the same > release > >>>> line? > >>>> > >>>> Happy to help with the migration work if there's interest. > >>>> > >>>> -Lari > >>>> > >>>> On Thu, 30 Apr 2026 at 02:14, Andor Molnár <[email protected]> wrote: > >>>> > >>>>> I’m trying to extract the relevant information from the thread for > >> you. > >>>>> Previously I wrote something like: > >>>>> > >>>>> “… we could make a leap and make JDK 17 the minimum runtime and > >> compile > >>>>> versions for the master branch. > >>>>> > >>>>> Once the change is merged to master, we'll backport it to branch-3.9 > >> as > >>>>> follows: > >>>>> > >>>>> * minimum JDK for building: 17 > >>>>> * minimum JRE for running: 8 (no change) “ > >>>>> > >>>>> As far as I know, that’s what we agreed on, but unfortunately, no one > >>> has > >>>>> been willing to create a PR for it since then. Are you happy to work > >> on > >>> it? > >>>>> > >>>>> Andor > >>>>> > >>>>> > >>>>> > >>>>>> On Apr 29, 2026, at 13:12, Andor Molnár <[email protected]> wrote: > >>>>>> > >>>>>> Hi David, > >>>>>> > >>>>>> Thank you, your efforts are much appreciated. > >>>>>> > >>>>>> Yes. At the moment we still support Java 8 on all active branches. > >>>>>> There’s only one exception: Owasp build process requires Java 11 to > >>> run. > >>>>>> > >>>>>> There was a bunch of discussions [1] and [2] recently regarding how > >>>>> should we > >>>>>> upgrade and which JDK versions should we support on our branches. > You > >>>>> might > >>>>>> want to review them before going forward. > >>>>>> > >>>>>> [1] > https://lists.apache.org/thread/42537mr70g3n8srzxg406xlssbcsqr7w > >>>>>> [2] > https://lists.apache.org/thread/ng8gq261ts5znzt6wb3zgjwqpsoqfftv > >>>>>> > >>>>>> Regards, > >>>>>> Andor > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>> On Apr 29, 2026, at 07:57, Dávid Paksy <[email protected]> wrote: > >>>>>>> > >>>>>>> Hi ZooKeeper devs, > >>>>>>> > >>>>>>> I started to work on JDK25 support in ZooKeeper. The compilation > >> works > >>>>> fine > >>>>>>> but for the tests to work I created ZOOKEEPER-5039 to upgrade > >> Mockito > >>> to > >>>>>>> 5.23.0. > >>>>>>> > >>>>>>> I put up #2376 PR and I saw, the GH: Action builds at the moment > are > >>>>> done > >>>>>>> using Java 8 and Java 11. > >>>>>>> > >>>>>>> Mockito 5.x requires Java 11 or higher. It will not work with Java > >> 8. > >>>>>>> Mockito 4.x supported Java 8 but Mockito 4.x does not support Java > >> 25. > >>>>>>> > >>>>>>> Do we have to support Java 8 on ZooKeeper master branch? I did not > >>> found > >>>>>>> any documentation regarding this. > >>>>>>> > >>>>>>> Thanks in advance, > >>>>>>> Dávid > >>>>>> > >>>>> > >>>>> > >>> > >>> > >> > >
