ctubbsii commented on PR #2785: URL: https://github.com/apache/thrift/pull/2785#issuecomment-1522346633
> What are the versions for _today_? And what's the support policy of _today_'s versions? This is a relatively small project. I am not aware of any formal support policy, but I would happily embrace maintenance releases for recent versions with critical bugs to fix. That requires more active committers, and voting PMC members (not just regular contributors). > Based on the statistics of [Maven Central](https://mvnrepository.com/artifact/org.apache.thrift/libthrift), the most adopted versions are 0.9.x and 0.12.x, can we treat them as versions for _today_? Can I request a security-patched/bug-fix version for them? To make that happen, there needs to be sufficient demand for them, and more support to prepare releases. I've been following the mailing lists for some time now, and I have not seen a high demand for maintenance releases. Preparing release candidates seems to be done by relatively few people. That could change. I think the PMC should decide how they want to address that. > Thrift 0.13.0 made lots of [breaking changes](https://github.com/apache/thrift/blob/v0.13.0/CHANGES.md#breaking-changes) including THRIFT-4725 in Java, that's one of the reasons why the lower versions are adopted widely today, even they have known CVEs. Drops Java8 support is another significant breaking change. In my experience, *every* version of Thrift has been accompanied by a breaking change. This is one of the reasons why I don't understand why people seem to want to upgrade it so aggressively, such that they need to impose constraints on the anticipated future versions of Thrift. I would upgrade Thrift very conservatively, due to these breaking changes. By the time you upgrade to version of Thrift that requires Java 11, I would expect consuming projects to already be ready to move to 11, so it shouldn't be a problem. I think a better approach, rather than hold back future versions of Thrift, is to encourage more maintenance releases on previous versions. That would solve the Java dependency problem *and* solve the breaking change issues that appear in each Thrift release. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
