Martijn, it is precisely because of past reluctance to upgrade infrastructure that the industry is getting into the nightmare scenario of insecure ciphers that cannot be replaced! Hence HTTP/2's effort to try to mandate stronger ciphers and our own preference to EOL java 7 support. This is to put back pressure on other infrastructure developers and deployers to upgrade and make forward progress possible.
If a security bug is found in 9.2, we will almost certainly fix that in the mid term future. Non security related fixes that result from commercial support will also make it back to the open source repository... but perhaps not in a formal release (at least not a frequent cycle). The beauty of open source is that 9.2 will still be available and patchable if need be. We are just saying that it will no longer be a priority for us to do so and that 9.2 users really need to plan to migrate to a more recent release and to put pressure on any other suppliers that are holding up that process. cheers On 29 April 2016 at 05:02, martijn.list <[email protected]> wrote: > On 04/28/2016 08:32 PM, Jesse McConnell wrote: > > > > Part of the push to get Jetty 9.4 out the door will be also to retire > > open source support for Jetty 9.2.x which should be effective in May > 2016. > > > > A year ago this month (April) Oracle put the brakes on general public > > support for Java 7. That roughly corresponds to when we pushed Jetty > > 9.3.x which was the first version of Jetty to require Java 8. > > > > Picking up another release branch of Jetty and the looming addition of > > yet another for experimental features and the forthcoming Servlet 4.0 > > support with Jetty 10 means something has to give. Moving forward Jetty > > 9.2.x will not be getting any tangible support from the Jetty developers > > on the open source side of things. We will continue to support it for > > clients through our professional services and support company Webtide, > > and if that support triggers a release then that release will of course > > be made available to the community at large. We started this program > > with Jetty 6 and it seems to have served us and the community well for > > both Jetty 7 and Jetty 8. > > > > If you have any questions about this please chime in! > > Unfortunately OpenJDK 8 on CentOS/RedHat has some open issues with EC > support for TLS (https://bugs.centos.org/view.php?id=9482). These issues > makes it impossible to use strong ciphers with Jetty when running under > OpenJDK 8. > > Because OpenJDK 6 and 7 are still supported by RedHat, wouldn't it be a > good idea to keep supporting 9.2 only for bug fixes? > > Kind regards, > > Martijn Brinkers > > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users > -- Greg Wilkins <[email protected]> CTO http://webtide.com
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
