Hi, Keeping our fingers crossed for this backport to make it into 3.9.
We are using Kafka client as a 3rd, and 4th party dependency (through Confluent Parallel Consumer - @astubbs), in a collection of Helidon MP 4.1.6 microservices. When do you estimate would we know for sure whether it will be in? Thanks. - Jan. On 2025/03/17 17:14:21 Stig Rohde Døssing wrote: > Thanks Ismail, > > I've opened https://github.com/apache/kafka/pull/19221 just to get any test > failures out of the way in case it is decided to do this backport. > > I'm hoping people will weigh in with their concerns in this thread if they > don't like the idea of backporting this change. > > Den man. 17. mar. 2025 kl. 16.43 skrev Ismael Juma <me...@ismaeljuma.com>: > > > Hi Stig, > > > > Kafka 4.0 is likely to be released in a day or two. Even so, I think it > > makes sense to revive the backporting thread given the lack of workaround > > for Java 24. > > > > Ismael > > > > On Mon, Mar 17, 2025 at 7:44 AM Stig Rohde Døssing < stigdoess...@gmail.com > > > > > wrote: > > > > > Hi, > > > > > > Some months ago, a reflective shim was added in > > > https://issues.apache.org/jira/browse/KAFKA-17078, in order to support > > > running Kafka with SASL on JDKs that no longer support the security > > > manager. > > > > > > This shim was added only to Kafka 4.0, but backporting was discussed in > > > https://lists.apache.org/thread/vl43q9wqq4xs67xx61f0t0850y2b037o. There > > > was > > > no clear consensus for or against backporting, but it ended up not > > > happening. At the time, users could work around the issue by enabling the > > > Security Manager again via a command-line flag. > > > > > > Java 24, which is planned to release tomorrow, no longer has this > > > workaround available. > > > > > > This leaves users running Java 23 (I am one) in a slightly uncomfortable > > > spot. > > > > > > If Kafka releases 4.0 in the next month, we can rush to upgrade to that, > > > and hope that the first release has no regressions. > > > > > > Otherwise, we will need to downgrade back to Java 21, since staying on 23 > > > isn't a good idea past Oracle's quarterly security update in April (see > > > https://www.oracle.com/security-alerts/), which will include patches > > that > > > won't be released for Java 23. > > > > > > Would there be strong objections to attempting a backport of this shim > > to a > > > 3.9.x release? > > > > > >
