Re: [jetty-users] Jetty 9.2 EOL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Jetty 9.2 EOL

From: "martijn.list" <martijn.list@xxxxxxxxx>
Date: Fri, 29 Apr 2016 09:49:57 +0200
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0

On 04/29/2016 01:14 AM, Greg Wilkins wrote:
> it is precisely because of past reluctance to upgrade infrastructure
> that the industry is getting into the nightmare scenario of insecure
> ciphers that cannot be replaced!     Hence HTTP/2's effort to try to
> mandate stronger ciphers and our own preference to
> EOL java 7 support.  This is to put back pressure on other
> infrastructure developers and deployers to upgrade and make forward
> progress possible.

I understand the reasoning behind this :) the reality however is that
Java 8, at the moment, is still not widely supported (out of the box) on
Linux. For example Ubuntu 14.04 LTS does not even offer OpenJDK 8.
Ubuntu 16.04 LTS, which supports OpenJDK 8, was only recently released.
The reality is that there are a lot of servers running on Ubuntu 14.04.
On CentOS 7, OpenJDK 8 has crippled support for EC ciphers
(https://bugs.centos.org/view.php?id=9482)


> If a security bug is found in 9.2, we will almost certainly fix that in
> the mid term future.  Non security related fixes that result from
> commercial support will also make it back to the open source
> repository... but perhaps not in a formal release (at least not a
> frequent cycle).

EOL suggests (at least to me) that even security bugs will not be fixed.
Instead of calling 9.2, EOL, perhaps some different wording that
suggests that security bugs will be fixed for some period might be
better imho.

Kind regards,

Martijn


> The beauty of open source is that 9.2 will still be available and
> patchable if need be.  We are just saying that it will no longer be a
> priority for us to do so and that 9.2 users really need to plan to
> migrate to a more recent release and to put pressure on any other
> suppliers that are holding up that process.

> On 29 April 2016 at 05:02, martijn.list <martijn.list@xxxxxxxxx
> <mailto:martijn.list@xxxxxxxxx>> wrote:
> 
>     On 04/28/2016 08:32 PM, Jesse McConnell wrote:
>     >
>     > Part of the push to get Jetty 9.4 out the door will be also to retire
>     > open source support for Jetty 9.2.x which should be effective in May 2016.
>     >
>     > A year ago this month (April) Oracle put the brakes on general public
>     > support for Java 7.  That roughly corresponds to when we pushed Jetty
>     > 9.3.x which was the first version of Jetty to require Java 8.
>     >
>     > Picking up another release branch of Jetty and the looming addition of
>     > yet another for experimental features and the forthcoming Servlet 4.0
>     > support with Jetty 10 means something has to give.  Moving forward Jetty
>     > 9.2.x will not be getting any tangible support from the Jetty developers
>     > on the open source side of things.  We will continue to support it for
>     > clients through our professional services and support company Webtide,
>     > and if that support triggers a release then that release will of course
>     > be made available to the community at large.  We started this program
>     > with Jetty 6 and it seems to have  served us and the community well for
>     > both Jetty 7 and Jetty 8.
>     >
>     > If you have any questions about this please chime in!
> 
>     Unfortunately OpenJDK 8 on CentOS/RedHat has some open issues with EC
>     support for TLS (https://bugs.centos.org/view.php?id=9482). These issues
>     makes it impossible to use strong ciphers with Jetty when running under
>     OpenJDK 8.
> 
>     Because OpenJDK 6 and 7 are still supported by RedHat, wouldn't it be a
>     good idea to keep supporting 9.2 only for bug fixes?
> 
>     Kind regards,
> 
>     Martijn Brinkers
> 
> 
>     _______________________________________________
>     jetty-users mailing list
>     jetty-users@xxxxxxxxxxx <mailto:jetty-users@xxxxxxxxxxx>
>     To change your delivery options, retrieve your password, or
>     unsubscribe from this list, visit
>     https://dev.eclipse.org/mailman/listinfo/jetty-users
> 
> 
> 
> 
> -- 
> Greg Wilkins <gregw@xxxxxxxxxxx <mailto:gregw@xxxxxxxxxxx>> CTO
> http://webtide.com
> 
> 
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users
> 


-- 
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

https://www.ciphermail.com

Twitter: http://twitter.com/CipherMail

Follow-Ups:
- Re: [jetty-users] Jetty 9.2 EOL
  - From: Simone Bordet

References:
- [jetty-users] Jetty 9.2 EOL
  - From: Jesse McConnell
- Re: [jetty-users] Jetty 9.2 EOL
  - From: martijn.list
- Re: [jetty-users] Jetty 9.2 EOL
  - From: Greg Wilkins

Prev by Date: Re: [jetty-users] Jetty Release Plan for 9.4.x and 10.0.x
Next by Date: Re: [jetty-users] Jetty 9.2 EOL
Previous by thread: Re: [jetty-users] Jetty 9.2 EOL
Next by thread: Re: [jetty-users] Jetty 9.2 EOL
Index(es):
- Date
- Thread

Breadcrumbs