Hi folks, Please take a look at the patch:
https://github.com/apache/zookeeper/pull/2376 Thanks, Andor > On May 11, 2026, at 02:46, Dávid Paksy <[email protected]> wrote: > > Hi All, > > Thanks everyone for your responses! > > I now raised the #2376 PR for the JDK17 / JDK25 support on master. > If you can please have a look and provide feedback. > > Many thanks in advance, > Dávid > > > > Andor Molnár <[email protected]> ezt írta (időpont: 2026. máj. 5., K, 17:41): > >> This should be that: >> >> https://issues.apache.org/jira/browse/ZOOKEEPER-5038 >> >> >> >> >>> On May 5, 2026, at 04:09, Enrico Olivelli <[email protected]> wrote: >>> >>> Il Lun 4 Mag 2026, 22:15 Lari Hotari <[email protected]> ha scritto: >>> >>>> I'm just wondering if we could first decouple the code that uses Jetty >> from >>>> zookeeper-server. >>>> >>>> I added this comment to ZOOKEEPER-5038: >>>> ===== >>>> Since the recurring blocker for upgrading Jetty is the Java baseline >> (Jetty >>>> 12 requires Java 17, while ZooKeeper still supports Java 8/11), it >> would be >>>> useful to decouple the HTTP admin server from zookeeper-server entirely. >>>> >>>> Concretely, the org.apache.zookeeper.server.admin package could be moved >>>> out of the zookeeper-server module into a new, separate module — for >>>> example zookeeper-server-http-admin. The rest of ZooKeeper would keep >> its >>>> current Java 8/11 compatibility, and only this optional module would >>>> require Java 17 (and pull in Jetty 12). >>>> >>>> To avoid a hard compile-time dependency from zookeeper-server on the new >>>> module, the admin server could be loaded via reflection at runtime when >> it >>>> is enabled in the configuration. That way users on older JDKs simply >> don't >>>> enable the HTTP admin server, while users on Java 17+ get a fully >>>> maintained Jetty. >>>> >>>> This would also let the Jetty upgrade proceed independently of the >> broader >>>> Java baseline discussion. >>>> ===== >>>> >>>> Would this make sense? >>>> >>> >>> It does. >>> >>> Let's create a JIRA, we should make this change before cutting the next >>> release >>> >>> >>> Enrico >>> >>> >>> >>> >>>> -Lari >>>> >>>> On Mon, 4 May 2026 at 22:50, Andor Molnár <[email protected]> wrote: >>>> >>>>> Absolutely. That’s actually my original intention for the JDK 17 >> upgrade. >>>>> We should definitely upgrade to Jetty 12 once the JDK upgraded landed. >>>>> >>>>> Thanks for the heads-up. >>>>> >>>>> Andor >>>>> >>>>> >>>>> >>>>>> On May 4, 2026, at 05:39, Lari Hotari <[email protected]> wrote: >>>>>> >>>>>> Hi all, >>>>>> >>>>>> I'd like to raise a point related to the discussion about ZooKeeper's >>>>>> minimum supported Java version. >>>>>> >>>>>> Jetty 9.x is end-of-life and no longer receives OSS security updates. >>>>> There >>>>>> are unaddressed CVEs that affect the 9.4.x line: >>>>>> >>>>>> - CVE-2026-2332 (High) – HTTP request smuggling via chunked extension >>>>>> parsing; affects Jetty <= 9.4.59. Fixed in 9.4.60. >>>>>> - CVE-2025-11143 (Low) – differential URI parsing that can lead to >>>>> security >>>>>> bypass; affects Jetty <= 9.4.58. Fixed in 9.4.59. >>>>>> >>>>>> The catch is that 9.4.59 and 9.4.60 are only available to customers >>>>> paying >>>>>> for commercial support (e.g. Webtide/HeroDevs NES). OSS projects can >> no >>>>>> longer obtain security fixes for Jetty 9.x through Maven Central. >>>>>> >>>>>> The supported community line is Jetty 12.x, which requires Java 17 as >>>> the >>>>>> baseline. >>>>>> >>>>>> In Apache Pulsar, we've had to carry a fairly invasive workaround to >>>>>> upgrade to Jetty 12.x while still depending on ZooKeeper: we patch / >>>>> shadow >>>>>> the relevant Pulsar-side integration classes (the equivalents of >>>>>> org.apache.zookeeper.server.admin and >>>>>> org.apache.zookeeper.metrics.prometheus) so Pulsar can run on Jetty >>>> 12.x >>>>>> even though ZooKeeper still pulls in Jetty 9.x. We'd very much like to >>>>> drop >>>>>> this hack, but that requires ZooKeeper itself to move off Jetty 9.x. >>>>>> >>>>>> Given that Jetty 12.x requires Java 17, raising ZooKeeper's Java >>>> baseline >>>>>> to 17 would unblock the Jetty upgrade and close the CVE exposure for >>>>>> downstream OSS users at the same time. Would the project consider >> tying >>>>> the >>>>>> Java 17 baseline discussion to a Jetty 12 migration on the same >> release >>>>>> line? >>>>>> >>>>>> Happy to help with the migration work if there's interest. >>>>>> >>>>>> -Lari >>>>>> >>>>>> On Thu, 30 Apr 2026 at 02:14, Andor Molnár <[email protected]> wrote: >>>>>> >>>>>>> I’m trying to extract the relevant information from the thread for >>>> you. >>>>>>> Previously I wrote something like: >>>>>>> >>>>>>> “… we could make a leap and make JDK 17 the minimum runtime and >>>> compile >>>>>>> versions for the master branch. >>>>>>> >>>>>>> Once the change is merged to master, we'll backport it to branch-3.9 >>>> as >>>>>>> follows: >>>>>>> >>>>>>> * minimum JDK for building: 17 >>>>>>> * minimum JRE for running: 8 (no change) “ >>>>>>> >>>>>>> As far as I know, that’s what we agreed on, but unfortunately, no one >>>>> has >>>>>>> been willing to create a PR for it since then. Are you happy to work >>>> on >>>>> it? >>>>>>> >>>>>>> Andor >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Apr 29, 2026, at 13:12, Andor Molnár <[email protected]> wrote: >>>>>>>> >>>>>>>> Hi David, >>>>>>>> >>>>>>>> Thank you, your efforts are much appreciated. >>>>>>>> >>>>>>>> Yes. At the moment we still support Java 8 on all active branches. >>>>>>>> There’s only one exception: Owasp build process requires Java 11 to >>>>> run. >>>>>>>> >>>>>>>> There was a bunch of discussions [1] and [2] recently regarding how >>>>>>> should we >>>>>>>> upgrade and which JDK versions should we support on our branches. >> You >>>>>>> might >>>>>>>> want to review them before going forward. >>>>>>>> >>>>>>>> [1] >> https://lists.apache.org/thread/42537mr70g3n8srzxg406xlssbcsqr7w >>>>>>>> [2] >> https://lists.apache.org/thread/ng8gq261ts5znzt6wb3zgjwqpsoqfftv >>>>>>>> >>>>>>>> Regards, >>>>>>>> Andor >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On Apr 29, 2026, at 07:57, Dávid Paksy <[email protected]> wrote: >>>>>>>>> >>>>>>>>> Hi ZooKeeper devs, >>>>>>>>> >>>>>>>>> I started to work on JDK25 support in ZooKeeper. The compilation >>>> works >>>>>>> fine >>>>>>>>> but for the tests to work I created ZOOKEEPER-5039 to upgrade >>>> Mockito >>>>> to >>>>>>>>> 5.23.0. >>>>>>>>> >>>>>>>>> I put up #2376 PR and I saw, the GH: Action builds at the moment >> are >>>>>>> done >>>>>>>>> using Java 8 and Java 11. >>>>>>>>> >>>>>>>>> Mockito 5.x requires Java 11 or higher. It will not work with Java >>>> 8. >>>>>>>>> Mockito 4.x supported Java 8 but Mockito 4.x does not support Java >>>> 25. >>>>>>>>> >>>>>>>>> Do we have to support Java 8 on ZooKeeper master branch? I did not >>>>> found >>>>>>>>> any documentation regarding this. >>>>>>>>> >>>>>>>>> Thanks in advance, >>>>>>>>> Dávid >>>>>>>> >>>>>>> >>>>>>> >>>>> >>>>> >>>> >> >>
