This should be that: https://issues.apache.org/jira/browse/ZOOKEEPER-5038
> On May 5, 2026, at 04:09, Enrico Olivelli <[email protected]> wrote: > > Il Lun 4 Mag 2026, 22:15 Lari Hotari <[email protected]> ha scritto: > >> I'm just wondering if we could first decouple the code that uses Jetty from >> zookeeper-server. >> >> I added this comment to ZOOKEEPER-5038: >> ===== >> Since the recurring blocker for upgrading Jetty is the Java baseline (Jetty >> 12 requires Java 17, while ZooKeeper still supports Java 8/11), it would be >> useful to decouple the HTTP admin server from zookeeper-server entirely. >> >> Concretely, the org.apache.zookeeper.server.admin package could be moved >> out of the zookeeper-server module into a new, separate module — for >> example zookeeper-server-http-admin. The rest of ZooKeeper would keep its >> current Java 8/11 compatibility, and only this optional module would >> require Java 17 (and pull in Jetty 12). >> >> To avoid a hard compile-time dependency from zookeeper-server on the new >> module, the admin server could be loaded via reflection at runtime when it >> is enabled in the configuration. That way users on older JDKs simply don't >> enable the HTTP admin server, while users on Java 17+ get a fully >> maintained Jetty. >> >> This would also let the Jetty upgrade proceed independently of the broader >> Java baseline discussion. >> ===== >> >> Would this make sense? >> > > It does. > > Let's create a JIRA, we should make this change before cutting the next > release > > > Enrico > > > > >> -Lari >> >> On Mon, 4 May 2026 at 22:50, Andor Molnár <[email protected]> wrote: >> >>> Absolutely. That’s actually my original intention for the JDK 17 upgrade. >>> We should definitely upgrade to Jetty 12 once the JDK upgraded landed. >>> >>> Thanks for the heads-up. >>> >>> Andor >>> >>> >>> >>>> On May 4, 2026, at 05:39, Lari Hotari <[email protected]> wrote: >>>> >>>> Hi all, >>>> >>>> I'd like to raise a point related to the discussion about ZooKeeper's >>>> minimum supported Java version. >>>> >>>> Jetty 9.x is end-of-life and no longer receives OSS security updates. >>> There >>>> are unaddressed CVEs that affect the 9.4.x line: >>>> >>>> - CVE-2026-2332 (High) – HTTP request smuggling via chunked extension >>>> parsing; affects Jetty <= 9.4.59. Fixed in 9.4.60. >>>> - CVE-2025-11143 (Low) – differential URI parsing that can lead to >>> security >>>> bypass; affects Jetty <= 9.4.58. Fixed in 9.4.59. >>>> >>>> The catch is that 9.4.59 and 9.4.60 are only available to customers >>> paying >>>> for commercial support (e.g. Webtide/HeroDevs NES). OSS projects can no >>>> longer obtain security fixes for Jetty 9.x through Maven Central. >>>> >>>> The supported community line is Jetty 12.x, which requires Java 17 as >> the >>>> baseline. >>>> >>>> In Apache Pulsar, we've had to carry a fairly invasive workaround to >>>> upgrade to Jetty 12.x while still depending on ZooKeeper: we patch / >>> shadow >>>> the relevant Pulsar-side integration classes (the equivalents of >>>> org.apache.zookeeper.server.admin and >>>> org.apache.zookeeper.metrics.prometheus) so Pulsar can run on Jetty >> 12.x >>>> even though ZooKeeper still pulls in Jetty 9.x. We'd very much like to >>> drop >>>> this hack, but that requires ZooKeeper itself to move off Jetty 9.x. >>>> >>>> Given that Jetty 12.x requires Java 17, raising ZooKeeper's Java >> baseline >>>> to 17 would unblock the Jetty upgrade and close the CVE exposure for >>>> downstream OSS users at the same time. Would the project consider tying >>> the >>>> Java 17 baseline discussion to a Jetty 12 migration on the same release >>>> line? >>>> >>>> Happy to help with the migration work if there's interest. >>>> >>>> -Lari >>>> >>>> On Thu, 30 Apr 2026 at 02:14, Andor Molnár <[email protected]> wrote: >>>> >>>>> I’m trying to extract the relevant information from the thread for >> you. >>>>> Previously I wrote something like: >>>>> >>>>> “… we could make a leap and make JDK 17 the minimum runtime and >> compile >>>>> versions for the master branch. >>>>> >>>>> Once the change is merged to master, we'll backport it to branch-3.9 >> as >>>>> follows: >>>>> >>>>> * minimum JDK for building: 17 >>>>> * minimum JRE for running: 8 (no change) “ >>>>> >>>>> As far as I know, that’s what we agreed on, but unfortunately, no one >>> has >>>>> been willing to create a PR for it since then. Are you happy to work >> on >>> it? >>>>> >>>>> Andor >>>>> >>>>> >>>>> >>>>>> On Apr 29, 2026, at 13:12, Andor Molnár <[email protected]> wrote: >>>>>> >>>>>> Hi David, >>>>>> >>>>>> Thank you, your efforts are much appreciated. >>>>>> >>>>>> Yes. At the moment we still support Java 8 on all active branches. >>>>>> There’s only one exception: Owasp build process requires Java 11 to >>> run. >>>>>> >>>>>> There was a bunch of discussions [1] and [2] recently regarding how >>>>> should we >>>>>> upgrade and which JDK versions should we support on our branches. You >>>>> might >>>>>> want to review them before going forward. >>>>>> >>>>>> [1] https://lists.apache.org/thread/42537mr70g3n8srzxg406xlssbcsqr7w >>>>>> [2] https://lists.apache.org/thread/ng8gq261ts5znzt6wb3zgjwqpsoqfftv >>>>>> >>>>>> Regards, >>>>>> Andor >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> On Apr 29, 2026, at 07:57, Dávid Paksy <[email protected]> wrote: >>>>>>> >>>>>>> Hi ZooKeeper devs, >>>>>>> >>>>>>> I started to work on JDK25 support in ZooKeeper. The compilation >> works >>>>> fine >>>>>>> but for the tests to work I created ZOOKEEPER-5039 to upgrade >> Mockito >>> to >>>>>>> 5.23.0. >>>>>>> >>>>>>> I put up #2376 PR and I saw, the GH: Action builds at the moment are >>>>> done >>>>>>> using Java 8 and Java 11. >>>>>>> >>>>>>> Mockito 5.x requires Java 11 or higher. It will not work with Java >> 8. >>>>>>> Mockito 4.x supported Java 8 but Mockito 4.x does not support Java >> 25. >>>>>>> >>>>>>> Do we have to support Java 8 on ZooKeeper master branch? I did not >>> found >>>>>>> any documentation regarding this. >>>>>>> >>>>>>> Thanks in advance, >>>>>>> Dávid >>>>>> >>>>> >>>>> >>> >>> >>
