To whom it may concern... Jackrabbit's RMI support has been essentially unmaintained for half a decade now, and also does not support JCR 2.0.
We recently had to go into emergence mode due to vulnerabilities of components used by us when accessed over RMI (see https://nvd.nist.gov/vuln/detail/CVE-2023-37895). In response to that, we have changed the default settings in our server and standalone bundles (https://issues.apache.org/jira/browse/JCR-4960), and have removed the use of the vulnerable component (https://issues.apache.org/jira/browse/JCR-4949). As next steps, I'd like to first formally deprecate jackrabbit-jcr-rmi (https://issues.apache.org/jira/browse/JCR-4973), and then later remove it altogether (https://issues.apache.org/jira/browse/JCR-4972). The deprecation would get backported to the stable maintenance branch (2.20.x), while the removal would only happen in the unstable branch for now. Feedback appreciated (eiher here or in the tickets). Best regards, Julian
