Patch has been merged. Thanks everyone for the contribution and David for the patch!
Regards, Andor > On Jun 15, 2026, at 11:15, Andor Molnár <[email protected]> wrote: > > Hi folks, > > JDK 17 patch is ready to be merged from CI’s perspective. > Could we have some more eyeballs on the patch before merging it? > > https://github.com/apache/zookeeper/pull/2376 > > Thanks, > Andor > > > > >> On May 28, 2026, at 04:21, Dávid Paksy <[email protected]> wrote: >> >> Hi All, >> >> Many thanks for the feedback so far, I implemented it. >> >> Can you please review https://github.com/apache/zookeeper/pull/2376 >> >> Many thanks in advance, >> Dávid >> >> Andor Molnár <[email protected]> ezt írta (időpont: 2026. máj. 11., H, >> 19:42): >> >>> Hi folks, >>> >>> Please take a look at the patch: >>> >>> https://github.com/apache/zookeeper/pull/2376 >>> >>> Thanks, >>> Andor >>> >>> >>> >>> >>>> On May 11, 2026, at 02:46, Dávid Paksy <[email protected]> wrote: >>>> >>>> Hi All, >>>> >>>> Thanks everyone for your responses! >>>> >>>> I now raised the #2376 PR for the JDK17 / JDK25 support on master. >>>> If you can please have a look and provide feedback. >>>> >>>> Many thanks in advance, >>>> Dávid >>>> >>>> >>>> >>>> Andor Molnár <[email protected]> ezt írta (időpont: 2026. máj. 5., K, >>> 17:41): >>>> >>>>> This should be that: >>>>> >>>>> https://issues.apache.org/jira/browse/ZOOKEEPER-5038 >>>>> >>>>> >>>>> >>>>> >>>>>> On May 5, 2026, at 04:09, Enrico Olivelli <[email protected]> wrote: >>>>>> >>>>>> Il Lun 4 Mag 2026, 22:15 Lari Hotari <[email protected]> ha scritto: >>>>>> >>>>>>> I'm just wondering if we could first decouple the code that uses Jetty >>>>> from >>>>>>> zookeeper-server. >>>>>>> >>>>>>> I added this comment to ZOOKEEPER-5038: >>>>>>> ===== >>>>>>> Since the recurring blocker for upgrading Jetty is the Java baseline >>>>> (Jetty >>>>>>> 12 requires Java 17, while ZooKeeper still supports Java 8/11), it >>>>> would be >>>>>>> useful to decouple the HTTP admin server from zookeeper-server >>> entirely. >>>>>>> >>>>>>> Concretely, the org.apache.zookeeper.server.admin package could be >>> moved >>>>>>> out of the zookeeper-server module into a new, separate module — for >>>>>>> example zookeeper-server-http-admin. The rest of ZooKeeper would keep >>>>> its >>>>>>> current Java 8/11 compatibility, and only this optional module would >>>>>>> require Java 17 (and pull in Jetty 12). >>>>>>> >>>>>>> To avoid a hard compile-time dependency from zookeeper-server on the >>> new >>>>>>> module, the admin server could be loaded via reflection at runtime >>> when >>>>> it >>>>>>> is enabled in the configuration. That way users on older JDKs simply >>>>> don't >>>>>>> enable the HTTP admin server, while users on Java 17+ get a fully >>>>>>> maintained Jetty. >>>>>>> >>>>>>> This would also let the Jetty upgrade proceed independently of the >>>>> broader >>>>>>> Java baseline discussion. >>>>>>> ===== >>>>>>> >>>>>>> Would this make sense? >>>>>>> >>>>>> >>>>>> It does. >>>>>> >>>>>> Let's create a JIRA, we should make this change before cutting the next >>>>>> release >>>>>> >>>>>> >>>>>> Enrico >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> -Lari >>>>>>> >>>>>>> On Mon, 4 May 2026 at 22:50, Andor Molnár <[email protected]> wrote: >>>>>>> >>>>>>>> Absolutely. That’s actually my original intention for the JDK 17 >>>>> upgrade. >>>>>>>> We should definitely upgrade to Jetty 12 once the JDK upgraded >>> landed. >>>>>>>> >>>>>>>> Thanks for the heads-up. >>>>>>>> >>>>>>>> Andor >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On May 4, 2026, at 05:39, Lari Hotari <[email protected]> wrote: >>>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> I'd like to raise a point related to the discussion about >>> ZooKeeper's >>>>>>>>> minimum supported Java version. >>>>>>>>> >>>>>>>>> Jetty 9.x is end-of-life and no longer receives OSS security >>> updates. >>>>>>>> There >>>>>>>>> are unaddressed CVEs that affect the 9.4.x line: >>>>>>>>> >>>>>>>>> - CVE-2026-2332 (High) – HTTP request smuggling via chunked >>> extension >>>>>>>>> parsing; affects Jetty <= 9.4.59. Fixed in 9.4.60. >>>>>>>>> - CVE-2025-11143 (Low) – differential URI parsing that can lead to >>>>>>>> security >>>>>>>>> bypass; affects Jetty <= 9.4.58. Fixed in 9.4.59. >>>>>>>>> >>>>>>>>> The catch is that 9.4.59 and 9.4.60 are only available to customers >>>>>>>> paying >>>>>>>>> for commercial support (e.g. Webtide/HeroDevs NES). OSS projects can >>>>> no >>>>>>>>> longer obtain security fixes for Jetty 9.x through Maven Central. >>>>>>>>> >>>>>>>>> The supported community line is Jetty 12.x, which requires Java 17 >>> as >>>>>>> the >>>>>>>>> baseline. >>>>>>>>> >>>>>>>>> In Apache Pulsar, we've had to carry a fairly invasive workaround to >>>>>>>>> upgrade to Jetty 12.x while still depending on ZooKeeper: we patch / >>>>>>>> shadow >>>>>>>>> the relevant Pulsar-side integration classes (the equivalents of >>>>>>>>> org.apache.zookeeper.server.admin and >>>>>>>>> org.apache.zookeeper.metrics.prometheus) so Pulsar can run on Jetty >>>>>>> 12.x >>>>>>>>> even though ZooKeeper still pulls in Jetty 9.x. We'd very much like >>> to >>>>>>>> drop >>>>>>>>> this hack, but that requires ZooKeeper itself to move off Jetty 9.x. >>>>>>>>> >>>>>>>>> Given that Jetty 12.x requires Java 17, raising ZooKeeper's Java >>>>>>> baseline >>>>>>>>> to 17 would unblock the Jetty upgrade and close the CVE exposure for >>>>>>>>> downstream OSS users at the same time. Would the project consider >>>>> tying >>>>>>>> the >>>>>>>>> Java 17 baseline discussion to a Jetty 12 migration on the same >>>>> release >>>>>>>>> line? >>>>>>>>> >>>>>>>>> Happy to help with the migration work if there's interest. >>>>>>>>> >>>>>>>>> -Lari >>>>>>>>> >>>>>>>>> On Thu, 30 Apr 2026 at 02:14, Andor Molnár <[email protected]> >>> wrote: >>>>>>>>> >>>>>>>>>> I’m trying to extract the relevant information from the thread for >>>>>>> you. >>>>>>>>>> Previously I wrote something like: >>>>>>>>>> >>>>>>>>>> “… we could make a leap and make JDK 17 the minimum runtime and >>>>>>> compile >>>>>>>>>> versions for the master branch. >>>>>>>>>> >>>>>>>>>> Once the change is merged to master, we'll backport it to >>> branch-3.9 >>>>>>> as >>>>>>>>>> follows: >>>>>>>>>> >>>>>>>>>> * minimum JDK for building: 17 >>>>>>>>>> * minimum JRE for running: 8 (no change) “ >>>>>>>>>> >>>>>>>>>> As far as I know, that’s what we agreed on, but unfortunately, no >>> one >>>>>>>> has >>>>>>>>>> been willing to create a PR for it since then. Are you happy to >>> work >>>>>>> on >>>>>>>> it? >>>>>>>>>> >>>>>>>>>> Andor >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> On Apr 29, 2026, at 13:12, Andor Molnár <[email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>> Hi David, >>>>>>>>>>> >>>>>>>>>>> Thank you, your efforts are much appreciated. >>>>>>>>>>> >>>>>>>>>>> Yes. At the moment we still support Java 8 on all active branches. >>>>>>>>>>> There’s only one exception: Owasp build process requires Java 11 >>> to >>>>>>>> run. >>>>>>>>>>> >>>>>>>>>>> There was a bunch of discussions [1] and [2] recently regarding >>> how >>>>>>>>>> should we >>>>>>>>>>> upgrade and which JDK versions should we support on our branches. >>>>> You >>>>>>>>>> might >>>>>>>>>>> want to review them before going forward. >>>>>>>>>>> >>>>>>>>>>> [1] >>>>> https://lists.apache.org/thread/42537mr70g3n8srzxg406xlssbcsqr7w >>>>>>>>>>> [2] >>>>> https://lists.apache.org/thread/ng8gq261ts5znzt6wb3zgjwqpsoqfftv >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> Andor >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> On Apr 29, 2026, at 07:57, Dávid Paksy <[email protected]> >>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi ZooKeeper devs, >>>>>>>>>>>> >>>>>>>>>>>> I started to work on JDK25 support in ZooKeeper. The compilation >>>>>>> works >>>>>>>>>> fine >>>>>>>>>>>> but for the tests to work I created ZOOKEEPER-5039 to upgrade >>>>>>> Mockito >>>>>>>> to >>>>>>>>>>>> 5.23.0. >>>>>>>>>>>> >>>>>>>>>>>> I put up #2376 PR and I saw, the GH: Action builds at the moment >>>>> are >>>>>>>>>> done >>>>>>>>>>>> using Java 8 and Java 11. >>>>>>>>>>>> >>>>>>>>>>>> Mockito 5.x requires Java 11 or higher. It will not work with >>> Java >>>>>>> 8. >>>>>>>>>>>> Mockito 4.x supported Java 8 but Mockito 4.x does not support >>> Java >>>>>>> 25. >>>>>>>>>>>> >>>>>>>>>>>> Do we have to support Java 8 on ZooKeeper master branch? I did >>> not >>>>>>>> found >>>>>>>>>>>> any documentation regarding this. >>>>>>>>>>>> >>>>>>>>>>>> Thanks in advance, >>>>>>>>>>>> Dávid >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>> >>>>> >>> >>> >
