I don't see any secure alternative that does not break backwards compatibility on 9.x, and since we want to continue some 9.x releases, this resolution seems acceptable. We just have to notify users properly about this. And it is not like we do not provide options.
So +1 for me too for removing support for 1.x.. If this backfires after release we still can patch the release and add it back. On Fri, 12 Dec 2025, 00:34 Jan Høydahl, <[email protected]> wrote: > Hi, > > Tika 1.28 has been EOL since September 2022, and all its aging > dependencies, which we still ship in Solr 9.x, keep producing CVEs almost > weekly. > As Solr 9.10 has gained TikaServer support, I propose that we simply > declare "local" tika backend too old to ship and remove it in Solr 9.11. > > It will be a break from our normal back-compat promise. But I think it is > warranted in this case. > The alternative is to upgrade "local" Tika to 3.x, but that would be a > back-compat break as well (metadata), with no clear benefit over TikaServer. > > If this thread gains consensus I'll start a VOTE thread to formally decide > an exception. > > Jan > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
