Hi folks, JDK 17 patch is ready to be merged from CI’s perspective. Could we have some more eyeballs on the patch before merging it?
https://github.com/apache/zookeeper/pull/2376 Thanks, Andor > On May 28, 2026, at 04:21, Dávid Paksy <[email protected]> wrote: > > Hi All, > > Many thanks for the feedback so far, I implemented it. > > Can you please review https://github.com/apache/zookeeper/pull/2376 > > Many thanks in advance, > Dávid > > Andor Molnár <[email protected]> ezt írta (időpont: 2026. máj. 11., H, > 19:42): > >> Hi folks, >> >> Please take a look at the patch: >> >> https://github.com/apache/zookeeper/pull/2376 >> >> Thanks, >> Andor >> >> >> >> >>> On May 11, 2026, at 02:46, Dávid Paksy <[email protected]> wrote: >>> >>> Hi All, >>> >>> Thanks everyone for your responses! >>> >>> I now raised the #2376 PR for the JDK17 / JDK25 support on master. >>> If you can please have a look and provide feedback. >>> >>> Many thanks in advance, >>> Dávid >>> >>> >>> >>> Andor Molnár <[email protected]> ezt írta (időpont: 2026. máj. 5., K, >> 17:41): >>> >>>> This should be that: >>>> >>>> https://issues.apache.org/jira/browse/ZOOKEEPER-5038 >>>> >>>> >>>> >>>> >>>>> On May 5, 2026, at 04:09, Enrico Olivelli <[email protected]> wrote: >>>>> >>>>> Il Lun 4 Mag 2026, 22:15 Lari Hotari <[email protected]> ha scritto: >>>>> >>>>>> I'm just wondering if we could first decouple the code that uses Jetty >>>> from >>>>>> zookeeper-server. >>>>>> >>>>>> I added this comment to ZOOKEEPER-5038: >>>>>> ===== >>>>>> Since the recurring blocker for upgrading Jetty is the Java baseline >>>> (Jetty >>>>>> 12 requires Java 17, while ZooKeeper still supports Java 8/11), it >>>> would be >>>>>> useful to decouple the HTTP admin server from zookeeper-server >> entirely. >>>>>> >>>>>> Concretely, the org.apache.zookeeper.server.admin package could be >> moved >>>>>> out of the zookeeper-server module into a new, separate module — for >>>>>> example zookeeper-server-http-admin. The rest of ZooKeeper would keep >>>> its >>>>>> current Java 8/11 compatibility, and only this optional module would >>>>>> require Java 17 (and pull in Jetty 12). >>>>>> >>>>>> To avoid a hard compile-time dependency from zookeeper-server on the >> new >>>>>> module, the admin server could be loaded via reflection at runtime >> when >>>> it >>>>>> is enabled in the configuration. That way users on older JDKs simply >>>> don't >>>>>> enable the HTTP admin server, while users on Java 17+ get a fully >>>>>> maintained Jetty. >>>>>> >>>>>> This would also let the Jetty upgrade proceed independently of the >>>> broader >>>>>> Java baseline discussion. >>>>>> ===== >>>>>> >>>>>> Would this make sense? >>>>>> >>>>> >>>>> It does. >>>>> >>>>> Let's create a JIRA, we should make this change before cutting the next >>>>> release >>>>> >>>>> >>>>> Enrico >>>>> >>>>> >>>>> >>>>> >>>>>> -Lari >>>>>> >>>>>> On Mon, 4 May 2026 at 22:50, Andor Molnár <[email protected]> wrote: >>>>>> >>>>>>> Absolutely. That’s actually my original intention for the JDK 17 >>>> upgrade. >>>>>>> We should definitely upgrade to Jetty 12 once the JDK upgraded >> landed. >>>>>>> >>>>>>> Thanks for the heads-up. >>>>>>> >>>>>>> Andor >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On May 4, 2026, at 05:39, Lari Hotari <[email protected]> wrote: >>>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> I'd like to raise a point related to the discussion about >> ZooKeeper's >>>>>>>> minimum supported Java version. >>>>>>>> >>>>>>>> Jetty 9.x is end-of-life and no longer receives OSS security >> updates. >>>>>>> There >>>>>>>> are unaddressed CVEs that affect the 9.4.x line: >>>>>>>> >>>>>>>> - CVE-2026-2332 (High) – HTTP request smuggling via chunked >> extension >>>>>>>> parsing; affects Jetty <= 9.4.59. Fixed in 9.4.60. >>>>>>>> - CVE-2025-11143 (Low) – differential URI parsing that can lead to >>>>>>> security >>>>>>>> bypass; affects Jetty <= 9.4.58. Fixed in 9.4.59. >>>>>>>> >>>>>>>> The catch is that 9.4.59 and 9.4.60 are only available to customers >>>>>>> paying >>>>>>>> for commercial support (e.g. Webtide/HeroDevs NES). OSS projects can >>>> no >>>>>>>> longer obtain security fixes for Jetty 9.x through Maven Central. >>>>>>>> >>>>>>>> The supported community line is Jetty 12.x, which requires Java 17 >> as >>>>>> the >>>>>>>> baseline. >>>>>>>> >>>>>>>> In Apache Pulsar, we've had to carry a fairly invasive workaround to >>>>>>>> upgrade to Jetty 12.x while still depending on ZooKeeper: we patch / >>>>>>> shadow >>>>>>>> the relevant Pulsar-side integration classes (the equivalents of >>>>>>>> org.apache.zookeeper.server.admin and >>>>>>>> org.apache.zookeeper.metrics.prometheus) so Pulsar can run on Jetty >>>>>> 12.x >>>>>>>> even though ZooKeeper still pulls in Jetty 9.x. We'd very much like >> to >>>>>>> drop >>>>>>>> this hack, but that requires ZooKeeper itself to move off Jetty 9.x. >>>>>>>> >>>>>>>> Given that Jetty 12.x requires Java 17, raising ZooKeeper's Java >>>>>> baseline >>>>>>>> to 17 would unblock the Jetty upgrade and close the CVE exposure for >>>>>>>> downstream OSS users at the same time. Would the project consider >>>> tying >>>>>>> the >>>>>>>> Java 17 baseline discussion to a Jetty 12 migration on the same >>>> release >>>>>>>> line? >>>>>>>> >>>>>>>> Happy to help with the migration work if there's interest. >>>>>>>> >>>>>>>> -Lari >>>>>>>> >>>>>>>> On Thu, 30 Apr 2026 at 02:14, Andor Molnár <[email protected]> >> wrote: >>>>>>>> >>>>>>>>> I’m trying to extract the relevant information from the thread for >>>>>> you. >>>>>>>>> Previously I wrote something like: >>>>>>>>> >>>>>>>>> “… we could make a leap and make JDK 17 the minimum runtime and >>>>>> compile >>>>>>>>> versions for the master branch. >>>>>>>>> >>>>>>>>> Once the change is merged to master, we'll backport it to >> branch-3.9 >>>>>> as >>>>>>>>> follows: >>>>>>>>> >>>>>>>>> * minimum JDK for building: 17 >>>>>>>>> * minimum JRE for running: 8 (no change) “ >>>>>>>>> >>>>>>>>> As far as I know, that’s what we agreed on, but unfortunately, no >> one >>>>>>> has >>>>>>>>> been willing to create a PR for it since then. Are you happy to >> work >>>>>> on >>>>>>> it? >>>>>>>>> >>>>>>>>> Andor >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> On Apr 29, 2026, at 13:12, Andor Molnár <[email protected]> wrote: >>>>>>>>>> >>>>>>>>>> Hi David, >>>>>>>>>> >>>>>>>>>> Thank you, your efforts are much appreciated. >>>>>>>>>> >>>>>>>>>> Yes. At the moment we still support Java 8 on all active branches. >>>>>>>>>> There’s only one exception: Owasp build process requires Java 11 >> to >>>>>>> run. >>>>>>>>>> >>>>>>>>>> There was a bunch of discussions [1] and [2] recently regarding >> how >>>>>>>>> should we >>>>>>>>>> upgrade and which JDK versions should we support on our branches. >>>> You >>>>>>>>> might >>>>>>>>>> want to review them before going forward. >>>>>>>>>> >>>>>>>>>> [1] >>>> https://lists.apache.org/thread/42537mr70g3n8srzxg406xlssbcsqr7w >>>>>>>>>> [2] >>>> https://lists.apache.org/thread/ng8gq261ts5znzt6wb3zgjwqpsoqfftv >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Andor >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> On Apr 29, 2026, at 07:57, Dávid Paksy <[email protected]> >> wrote: >>>>>>>>>>> >>>>>>>>>>> Hi ZooKeeper devs, >>>>>>>>>>> >>>>>>>>>>> I started to work on JDK25 support in ZooKeeper. The compilation >>>>>> works >>>>>>>>> fine >>>>>>>>>>> but for the tests to work I created ZOOKEEPER-5039 to upgrade >>>>>> Mockito >>>>>>> to >>>>>>>>>>> 5.23.0. >>>>>>>>>>> >>>>>>>>>>> I put up #2376 PR and I saw, the GH: Action builds at the moment >>>> are >>>>>>>>> done >>>>>>>>>>> using Java 8 and Java 11. >>>>>>>>>>> >>>>>>>>>>> Mockito 5.x requires Java 11 or higher. It will not work with >> Java >>>>>> 8. >>>>>>>>>>> Mockito 4.x supported Java 8 but Mockito 4.x does not support >> Java >>>>>> 25. >>>>>>>>>>> >>>>>>>>>>> Do we have to support Java 8 on ZooKeeper master branch? I did >> not >>>>>>> found >>>>>>>>>>> any documentation regarding this. >>>>>>>>>>> >>>>>>>>>>> Thanks in advance, >>>>>>>>>>> Dávid >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>> >>>> >> >>
