Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Jetty 9.2 EOL

Martijn,

it is precisely because of past reluctance to upgrade infrastructure that the industry is getting into the nightmare scenario of insecure ciphers that cannot be replaced!     Hence HTTP/2's effort to try to mandate stronger ciphers and our own preference to
EOL java 7 support.  This is to put back pressure on other infrastructure developers and deployers to upgrade and make forward progress possible.

If a security bug is found in 9.2, we will almost certainly fix that in the mid term future.  Non security related fixes that result from commercial support will also make it back to the open source repository... but perhaps not in a formal release (at least not a frequent cycle).

The beauty of open source is that 9.2 will still be available and patchable if need be.  We are just saying that it will no longer be a priority for us to do so and that 9.2 users really need to plan to migrate to a more recent release and to put pressure on any other suppliers that are holding up that process.

cheers




On 29 April 2016 at 05:02, martijn.list <martijn.list@xxxxxxxxx> wrote:
On 04/28/2016 08:32 PM, Jesse McConnell wrote:
>
> Part of the push to get Jetty 9.4 out the door will be also to retire
> open source support for Jetty 9.2.x which should be effective in May 2016.
>
> A year ago this month (April) Oracle put the brakes on general public
> support for Java 7.  That roughly corresponds to when we pushed Jetty
> 9.3.x which was the first version of Jetty to require Java 8.
>
> Picking up another release branch of Jetty and the looming addition of
> yet another for experimental features and the forthcoming Servlet 4.0
> support with Jetty 10 means something has to give.  Moving forward Jetty
> 9.2.x will not be getting any tangible support from the Jetty developers
> on the open source side of things.  We will continue to support it for
> clients through our professional services and support company Webtide,
> and if that support triggers a release then that release will of course
> be made available to the community at large.  We started this program
> with Jetty 6 and it seems to have  served us and the community well for
> both Jetty 7 and Jetty 8.
>
> If you have any questions about this please chime in!

Unfortunately OpenJDK 8 on CentOS/RedHat has some open issues with EC
support for TLS (https://bugs.centos.org/view.php?id=9482). These issues
makes it impossible to use strong ciphers with Jetty when running under
OpenJDK 8.

Because OpenJDK 6 and 7 are still supported by RedHat, wouldn't it be a
good idea to keep supporting 9.2 only for bug fixes?

Kind regards,

Martijn Brinkers


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



--

Back to the top