Hello, here's my +1 Best regards, Samuel
Il giorno mar 3 feb 2026 alle ore 14:53 Francesco Chicchiriccò < [email protected]> ha scritto: > Update on this topic after some time: > > 1. Syncope 3.0.16 and 4.0.4 just released, with the former likely being > the very last from 3_0_X > 2. Syncope 4.1 ready to get at least its first milestone release anytime > soon > 3. Syncope 5.0 being prepared in [6] > > About (3), besides "normal" upgrades to get Jakarta EE 11 compatibility, > you might notice we are planning to replace OpenJPA with Hibernate ORM. > Such a choice was somehow mandated by the fact that OpenJPA is not yet > implementing the Jakarta Persistence 3.2 specs, part of Jakarta EE 11. > > Please note that Hibernate ORM was in use years ago, before entering the > ASF Incubator and had to be replaced at that time because of its license; > this issue is now superseded because AL 2.0 was lately adopted: see [7]. > > WDYT? > Regards. > > On 21/11/25 12:42, Francesco Chicchiriccò wrote: > > Hi all, > > I was reflecting about the OSS support window provided by some of the > most notable dependencies in use by Syncope. > > > > Depending on component releases out of their OSS support window > ultimately means no possibility to upgrade to a newer version when > something critical (a CVE, for example) is issued, and fixes are made > available only with latest versions. > > > > * Spring Boot [1] > > > > ** 3.4 ends in December 2025 > > ** 3.5 ends in June 2026 > > ** 4.0 ends in December 2026 > > > > * Spring Framework [2] > > > > ** 6.2 ends in June 2026 > > ** 7.0 ends in June 2027 > > > > * Spring Security [3] > > > > ** 6.4 ends in December 2025 > > ** 6.5 ends in June 2026 > > ** 7.0 ends in December 2026 > > > > * Spring Cloud Gateway [4] > > > > ** 4.2 ends in December 2025 > > ** 4.3 ends in June 2026 > > ** 5.0 ends in December 2026 > > > > * Apereo CAS [5] > > > > ** 7.2 ends in September 2025 > > ** 7.3 ends in March 2026 > > > > Our "release trains" are set as follows: > > > > 1. Syncope 4.0 > > - Spring Boot 3.4 (with Framework 6.2, Security 6.4 and Cloud Gateway > 4.2) > > - Apereo CAS 7.2 > > > > 2. Syncope 4.1 > > - Spring Boot 3.5 (with Framework 6.2, Security 6.5 and Cloud Gateway > 4.3) > > - Apereo CAS 7.3 > > > > 3. Syncope 5.0 (?) > > - Spring Boot 4.0 (with Framework 7.0, Security 7.0 and Cloud Gateway > 5.0) > > - Apereo CAS 8.0 > > > > > > Overall, this means that: > > > > * Syncope 4.0 will not be able to get further dependency updates between > December 2025 and March 2026 > > * Syncope 4.1 will not be able to get further dependency updates between > June 2026 and September 2026 > > > > For these reasons, I think we should plan to get out Syncope 4.1.0 in > the first months of 2026, March at most, and immediately afterwards start > preparing for Syncope 5.0. > > > > WDYT? > > Regards. > > > > [1] https://spring.io/projects/spring-boot#support > > [2] https://spring.io/projects/spring-framework#support > > [3] https://spring.io/projects/spring-security#support > > [4] https://spring.io/projects/spring-cloud-gateway#support > > [5] > https://apereo.github.io/cas/developer/Maintenance-Policy.html#eol-schedule > [6] https://github.com/apache/syncope/pull/1258 > [7] https://hibernate.org/community/license/ > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA > https://about.me/ilgrosso > >
