Hi all,

any other opinions / perspectives from the committers / PMC members? 
I’d like to encourage everyone to participate in this important discussion.

Please share those within the next 1 or 2 weeks so we can find a consensus and 
come to a decision.

Best
Martin
--

> Am 20.06.2026 um 12:38 schrieb Kristian Rickert <[email protected]>:
> 
> Hi all,
> 
> I agree with Richard's points. To add my two cents:
> 
> It is increasingly important to keep software up to date. The higher
> velocity required to patch CVEs today (which is a positive development)
> results in significantly more churn when back-porting compared to the past.
> 
> I empathize with the time-consuming nature of updating libraries; this
> empathy is reflected heavily in the 3.0 API. We implemented  additional
> code specifically to ensure the transition from version 2 to 3 is as
> seamless as possible.  We did this because we know maintaining backward
> APIs is hard.
> 
> Furthermore, it is typical for projects to EOL two versions back when
> releasing a major version. This transition often happens even faster for
> projects with heavy dependencies.
> 
> If anyone has any issues transitioning off a 1.x build, they can try the
> dev forums for help - I'm sure they'll find the guidance they need.
> 
> Best regards,
> 
> Kristian Rickert
> 
> 
> On Fri, Jun 19, 2026 at 1:52 PM Richard Zowalla <[email protected]> wrote:
> 
>> In contrast to Solr, the OpenNLP community is very small, and backporting
>> and maintaining different branches (3.x, 2.x, 1.x) is time consuming and
>> honestly not much fun, unless you happen to have a day job that actually
>> needs it.
>> 
>> So from my POV this is really a volunteer-capacity question. Also for
>> reviewing, testing and producing an actual release.
>> 
>> If someone is willing to step up and do the work: fine. And consumers who
>> still need 1.9.x are free to fork it, or take a patch-based approach (like
>> it can be done via the TomEE patch plugin) to update the jars in place,
>> especially if this is solely about satisfying CVE scanners and similar.
>> We’ve been running an EOL policy in Apache TomEE for quite a while now, and
>> so do Apache Storm and Apache Tomcat. I don't think maintaining versions
>> endlessly is a good thing (at least from a volunteer capacity side of
>> things; you can still wrap around a business model .
>> 
>> What happens when the next transitive CVE shows up in a lib that itself is
>> no longer patched? From my experience, that just gets cumbersome.
>> 
>> We had that scenario in TomEE 9.x once Tomcat 10.0.x went EOL pretty fast;
>> so I was back porting Tomcat patches and patching inline for quite a few
>> months (wasn’t fun at all).
>> 
>> In a perfect world with lots of people willing to do the work: fine. But
>> that doesn't apply to the current OpenNLP community  IMHO, or at least not
>> yet.
>> 
>> Richard
>> 
>> 
>> 
>>> Am 19.06.2026 um 16:14 schrieb Eric Pugh <
>> [email protected]>:
>>> 
>>> I am not a committer, but I’d leave towards leaving it open ended if the
>> tooling to produce a release remains working.
>>> 
>>> I think EOL is very important to convey “hey, we no longer can produce a
>> release” or “we no longer have the in house knowledge to maintain this”,
>> but if the release process is still manageable, and people aren’t trying to
>> jam in NEW FEATURES into 1.x, then I don’t see why you need to close it
>> off.
>>> 
>>> I am very appreciative of the 1.9.5 coming out, and I would hope that if
>> more CVE’s pop up, being able to publish a 1.9.6 would be great.
>>> 
>>> 
>>> What if, and this is just an idea, you reframed things?  Instead of
>> talking about EOL, what if you talked about LTS: Long Term Support.
>>> 
>>> 1.9 is our LTS.  If a CVE pops up, you can expect a 1.9.6 or 1.9.7.
>> There will never be a 1.10 with new features.   All new features will go
>> to OpenNLP 3.  We reserve the right to decide when 1.9 line is no longer
>> LTS.
>>> 
>>> 
>>> My experience in Solr is that there is a HUGE set of people who are
>> happy with their specific solution, and won’t ever upgrade till there is a
>> big event.  For them, knowing they are on a LTS version, and knowing that
>> it can be produced reasonably easily, seems like a win-win for everyone.
>> When 1.9.x becomes a pain to release, then call the LTS period “done”.
>>> 
>>> I wrote down some specifics that I haven’t actually shared with the Solr
>> community yet, but here you go:
>> https://docs.google.com/document/d/17qJIfbSoRYvwrPt5OWjqmliwghflDzV9fA0XmXmNSBE/edit?usp=sharing
>>> 
>>> Eric
>>> 
>>> 
>>>> On Jun 18, 2026, at 12:39 PM, Kristian Rickert <[email protected]>
>> wrote:
>>>> 
>>>> a) +1
>>>> b) I'd lean on a short grace period.
>>>> 
>>>> 
>>>> On Wed, Jun 17, 2026 at 11:52 PM Richard Zowalla <[email protected]>
>>>> wrote:
>>>> 
>>>>> a) +1
>>>>> b) b2/b3 (if other CVEs are approaching)
>>>>> 
>>>>> Examples: https://tomcat.apache.org/tomcat-9.0.x-eos.html <
>> https://tomcat.apache.org/tomcat-9.0.x-eos.html>
>>>>> 
>>>>>> Am 18.06.2026 um 05:23 schrieb Martin Wiesner <[email protected]>:
>>>>>> 
>>>>>> Hi all,
>>>>>> 
>>>>>> given recent security fixes that landed in OpenNLP's main branch and
>> the
>>>>> request for back porting these changes to the very oldskoolish 1.9.x
>> line
>>>>> [1], the people involved noticed that the efforts to maintain three
>>>>> separate version lines along the road were pretty high and resource
>>>>> consuming.
>>>>>> 
>>>>>> Therefore, I'd like to propose to (finally) declare Apache OpenNLP
>> 1.9.x
>>>>> EOL publicly via a News announcement on the project's website.
>>>>>> 
>>>>>> Primary questions:
>>>>>> (a) Do we have consensus that such an EOL announcement is long overdue
>>>>> and should be put out rather soonish?
>>>>>> (b) Time of the announcement: Options that I see:
>>>>>> - b1: Directly with the projected release of the 1.9.5, marking it as
>>>>> the last release ever to be expected for OpenNLP 1.x.
>>>>>> - b2: Shortly after - with a grace period - for instance End of July
>>>>> 2026, or similar short ranged targets.
>>>>>> - b3: End of year 2026, that is Dec 31, 2026
>>>>>> (c) Are there any requirements by the ASF to put out an EOL
>>>>> announcement? Jeff, do you have infos about it?
>>>>>> 
>>>>>> Open for others to add thoughts and related aspects to this
>> discussion.
>>>>>> Please share your opinions and provide (your) answers to question (a)
>> to
>>>>> (c).
>>>>>> 
>>>>>> Best
>>>>>> Martin | mawiesne
>>>>>> --
>>>>>> [1] https://lists.apache.org/thread/nvzl4g2b6rc149nf54xpnorjso5h0mlp
>> <https://lists.apache.org/thread/nvzl4g2b6rc149nf54xpnorjso5h0mlp>
>>>>> 
>>> 
>>> Disclaimer
>>> 
>>> The information contained in this communication from the sender is
>> confidential. It is intended solely for use by the recipient and others
>> authorized to receive it. If you are not the recipient, you are hereby
>> notified that any disclosure, copying, distribution or taking action in
>> relation of the contents of this information is strictly prohibited and may
>> be unlawful.
>>> 
>>> This email has been scanned for viruses and malware, and may have been
>> automatically archived by Mimecast, a leader in email security and cyber
>> resilience. Mimecast integrates email defenses with brand protection,
>> security awareness training, web security, compliance and other essential
>> capabilities. Mimecast helps protect large and small organizations from
>> malicious activity, human error and technology failure; and to lead the
>> movement toward building a more resilient world. To find out more, visit
>> our website.
>> 
>> 

Reply via email to