Hi All, Many thanks for the feedback so far, I implemented it.
Can you please review https://github.com/apache/zookeeper/pull/2376 Many thanks in advance, Dávid Andor Molnár <[email protected]> ezt írta (időpont: 2026. máj. 11., H, 19:42): > Hi folks, > > Please take a look at the patch: > > https://github.com/apache/zookeeper/pull/2376 > > Thanks, > Andor > > > > > > On May 11, 2026, at 02:46, Dávid Paksy <[email protected]> wrote: > > > > Hi All, > > > > Thanks everyone for your responses! > > > > I now raised the #2376 PR for the JDK17 / JDK25 support on master. > > If you can please have a look and provide feedback. > > > > Many thanks in advance, > > Dávid > > > > > > > > Andor Molnár <[email protected]> ezt írta (időpont: 2026. máj. 5., K, > 17:41): > > > >> This should be that: > >> > >> https://issues.apache.org/jira/browse/ZOOKEEPER-5038 > >> > >> > >> > >> > >>> On May 5, 2026, at 04:09, Enrico Olivelli <[email protected]> wrote: > >>> > >>> Il Lun 4 Mag 2026, 22:15 Lari Hotari <[email protected]> ha scritto: > >>> > >>>> I'm just wondering if we could first decouple the code that uses Jetty > >> from > >>>> zookeeper-server. > >>>> > >>>> I added this comment to ZOOKEEPER-5038: > >>>> ===== > >>>> Since the recurring blocker for upgrading Jetty is the Java baseline > >> (Jetty > >>>> 12 requires Java 17, while ZooKeeper still supports Java 8/11), it > >> would be > >>>> useful to decouple the HTTP admin server from zookeeper-server > entirely. > >>>> > >>>> Concretely, the org.apache.zookeeper.server.admin package could be > moved > >>>> out of the zookeeper-server module into a new, separate module — for > >>>> example zookeeper-server-http-admin. The rest of ZooKeeper would keep > >> its > >>>> current Java 8/11 compatibility, and only this optional module would > >>>> require Java 17 (and pull in Jetty 12). > >>>> > >>>> To avoid a hard compile-time dependency from zookeeper-server on the > new > >>>> module, the admin server could be loaded via reflection at runtime > when > >> it > >>>> is enabled in the configuration. That way users on older JDKs simply > >> don't > >>>> enable the HTTP admin server, while users on Java 17+ get a fully > >>>> maintained Jetty. > >>>> > >>>> This would also let the Jetty upgrade proceed independently of the > >> broader > >>>> Java baseline discussion. > >>>> ===== > >>>> > >>>> Would this make sense? > >>>> > >>> > >>> It does. > >>> > >>> Let's create a JIRA, we should make this change before cutting the next > >>> release > >>> > >>> > >>> Enrico > >>> > >>> > >>> > >>> > >>>> -Lari > >>>> > >>>> On Mon, 4 May 2026 at 22:50, Andor Molnár <[email protected]> wrote: > >>>> > >>>>> Absolutely. That’s actually my original intention for the JDK 17 > >> upgrade. > >>>>> We should definitely upgrade to Jetty 12 once the JDK upgraded > landed. > >>>>> > >>>>> Thanks for the heads-up. > >>>>> > >>>>> Andor > >>>>> > >>>>> > >>>>> > >>>>>> On May 4, 2026, at 05:39, Lari Hotari <[email protected]> wrote: > >>>>>> > >>>>>> Hi all, > >>>>>> > >>>>>> I'd like to raise a point related to the discussion about > ZooKeeper's > >>>>>> minimum supported Java version. > >>>>>> > >>>>>> Jetty 9.x is end-of-life and no longer receives OSS security > updates. > >>>>> There > >>>>>> are unaddressed CVEs that affect the 9.4.x line: > >>>>>> > >>>>>> - CVE-2026-2332 (High) – HTTP request smuggling via chunked > extension > >>>>>> parsing; affects Jetty <= 9.4.59. Fixed in 9.4.60. > >>>>>> - CVE-2025-11143 (Low) – differential URI parsing that can lead to > >>>>> security > >>>>>> bypass; affects Jetty <= 9.4.58. Fixed in 9.4.59. > >>>>>> > >>>>>> The catch is that 9.4.59 and 9.4.60 are only available to customers > >>>>> paying > >>>>>> for commercial support (e.g. Webtide/HeroDevs NES). OSS projects can > >> no > >>>>>> longer obtain security fixes for Jetty 9.x through Maven Central. > >>>>>> > >>>>>> The supported community line is Jetty 12.x, which requires Java 17 > as > >>>> the > >>>>>> baseline. > >>>>>> > >>>>>> In Apache Pulsar, we've had to carry a fairly invasive workaround to > >>>>>> upgrade to Jetty 12.x while still depending on ZooKeeper: we patch / > >>>>> shadow > >>>>>> the relevant Pulsar-side integration classes (the equivalents of > >>>>>> org.apache.zookeeper.server.admin and > >>>>>> org.apache.zookeeper.metrics.prometheus) so Pulsar can run on Jetty > >>>> 12.x > >>>>>> even though ZooKeeper still pulls in Jetty 9.x. We'd very much like > to > >>>>> drop > >>>>>> this hack, but that requires ZooKeeper itself to move off Jetty 9.x. > >>>>>> > >>>>>> Given that Jetty 12.x requires Java 17, raising ZooKeeper's Java > >>>> baseline > >>>>>> to 17 would unblock the Jetty upgrade and close the CVE exposure for > >>>>>> downstream OSS users at the same time. Would the project consider > >> tying > >>>>> the > >>>>>> Java 17 baseline discussion to a Jetty 12 migration on the same > >> release > >>>>>> line? > >>>>>> > >>>>>> Happy to help with the migration work if there's interest. > >>>>>> > >>>>>> -Lari > >>>>>> > >>>>>> On Thu, 30 Apr 2026 at 02:14, Andor Molnár <[email protected]> > wrote: > >>>>>> > >>>>>>> I’m trying to extract the relevant information from the thread for > >>>> you. > >>>>>>> Previously I wrote something like: > >>>>>>> > >>>>>>> “… we could make a leap and make JDK 17 the minimum runtime and > >>>> compile > >>>>>>> versions for the master branch. > >>>>>>> > >>>>>>> Once the change is merged to master, we'll backport it to > branch-3.9 > >>>> as > >>>>>>> follows: > >>>>>>> > >>>>>>> * minimum JDK for building: 17 > >>>>>>> * minimum JRE for running: 8 (no change) “ > >>>>>>> > >>>>>>> As far as I know, that’s what we agreed on, but unfortunately, no > one > >>>>> has > >>>>>>> been willing to create a PR for it since then. Are you happy to > work > >>>> on > >>>>> it? > >>>>>>> > >>>>>>> Andor > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>> On Apr 29, 2026, at 13:12, Andor Molnár <[email protected]> wrote: > >>>>>>>> > >>>>>>>> Hi David, > >>>>>>>> > >>>>>>>> Thank you, your efforts are much appreciated. > >>>>>>>> > >>>>>>>> Yes. At the moment we still support Java 8 on all active branches. > >>>>>>>> There’s only one exception: Owasp build process requires Java 11 > to > >>>>> run. > >>>>>>>> > >>>>>>>> There was a bunch of discussions [1] and [2] recently regarding > how > >>>>>>> should we > >>>>>>>> upgrade and which JDK versions should we support on our branches. > >> You > >>>>>>> might > >>>>>>>> want to review them before going forward. > >>>>>>>> > >>>>>>>> [1] > >> https://lists.apache.org/thread/42537mr70g3n8srzxg406xlssbcsqr7w > >>>>>>>> [2] > >> https://lists.apache.org/thread/ng8gq261ts5znzt6wb3zgjwqpsoqfftv > >>>>>>>> > >>>>>>>> Regards, > >>>>>>>> Andor > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> On Apr 29, 2026, at 07:57, Dávid Paksy <[email protected]> > wrote: > >>>>>>>>> > >>>>>>>>> Hi ZooKeeper devs, > >>>>>>>>> > >>>>>>>>> I started to work on JDK25 support in ZooKeeper. The compilation > >>>> works > >>>>>>> fine > >>>>>>>>> but for the tests to work I created ZOOKEEPER-5039 to upgrade > >>>> Mockito > >>>>> to > >>>>>>>>> 5.23.0. > >>>>>>>>> > >>>>>>>>> I put up #2376 PR and I saw, the GH: Action builds at the moment > >> are > >>>>>>> done > >>>>>>>>> using Java 8 and Java 11. > >>>>>>>>> > >>>>>>>>> Mockito 5.x requires Java 11 or higher. It will not work with > Java > >>>> 8. > >>>>>>>>> Mockito 4.x supported Java 8 but Mockito 4.x does not support > Java > >>>> 25. > >>>>>>>>> > >>>>>>>>> Do we have to support Java 8 on ZooKeeper master branch? I did > not > >>>>> found > >>>>>>>>> any documentation regarding this. > >>>>>>>>> > >>>>>>>>> Thanks in advance, > >>>>>>>>> Dávid > >>>>>>>> > >>>>>>> > >>>>>>> > >>>>> > >>>>> > >>>> > >> > >> > >
