I think that seems a bit of a post-statement-reversal stretch to be honest. In the specific context where you were 'asked about possibility of a new 5.18.x release', intent of doing a release is implicit in the statement that you would 'prepare that release'. Doing a release was the item of discussion, not just a branch with some more commits added to it, which would seem a superfluous operation if you actually had no thought to release what you just prepared.
EOL absolutely exists on ASF projects; when we explicitly announce that we are not going to release it in future and users need to get off it, and we remove it from the download page because it has been dropped from support, and we then dont release it at points it would have been if still supported whilst actually releasing other supported versions at those times (all of these being the case for 5.18.x for the past year), that is EOL. The download page actually contains that very description of it which you merged: "Deprecated: Reached end-of-life and is no longer maintained. Deprecated versions do not receive updates. Not recommended for new deployments; users are encouraged to upgrade to a stable version for ongoing support." Yes, like most decisions we could absolutely reverse such decisions if it were raised and discussed (e.g such as in a thread like this) and actually thought to make sense not to follow the previously discussed path on the matter (so, less like this thread that time). Robbie On Thu, 5 Mar 2026 at 15:17, Jean-Baptiste Onofré <[email protected]> wrote: > > Preparing the release is cherry-picking the fixes (which I did). > I didn't say I will submit the release to vote. > > It's also the reason that we discuss on the mailing list. It's a community > decision. > If the community is ok with a release, we can consider it (EOL doesn't > really exist on ASF projects, as we can always submit a release on very old > branches if it's a community call). > > It seems we have a consensus to "push" for 5.19.x, I'm fine with that. > > Regards > JB > > On Thu, Mar 5, 2026 at 10:04 AM Robbie Gemmell <[email protected]> > wrote: > > > You did also say you were going to prepare a release soon. > > > > Users can certainly ask (though it would be nice if they did it on the > > list, so discussion could take place for any other users to see), > > though that doesnt mean it actually makes sense to do. A year past an > > announced and effective EOL seems clearly not to, especially when > > there is little if any barrier to upgrading to the year-old > > replacement stream. > > > > Robbie > > > > On Thu, 5 Mar 2026 at 14:09, Jean-Baptiste Onofré <[email protected]> wrote: > > > > > > Hi > > > > > > I just shared that I got some requests from users. I'm trying to convince > > > them to upgrade to 5.19.x (which is very close to 5.18.x and include the > > > fixes already). > > > > > > Let me try to convince these users to upgrade to 5.19.x. > > > > > > Regards > > > JB > > > > > > On Thu, Mar 5, 2026 at 8:17 AM Robbie Gemmell <[email protected]> > > > wrote: > > > > > > > Not really seeing how releasing 5.18.x makes sense a year after saying > > > > it was no longer supported with the 5.18.7 release (after 5.19.0), > > > > removing it from the download page at that time, and having not > > > > released the stream since (e.g for any of the dependency CVE fixes in > > > > that time) whilst all the other streams have had multiple releases or > > > > even been superceded and dropped themselves? > > > > > > > > Seems especially odd given 5.18.x and 5.19.x have pretty similar > > > > supportability/requirements which is why it was dropped. I'm pretty > > > > sure I even recall seeing some initial discussion of late about when > > > > to drop 5.19.x. > > > > > > > > It will also still be marked as being affected by CVE-2025-66168 by > > > > scanners even if it contains the fix, since the version details just > > > > announced for that CVE included everything before 5.19.2. > > > > > > > > Is 5.18.x EOL or not? > > > > > > > > Robbie > > > > > > > > On Tue, 3 Mar 2026 at 21:55, Jean-Baptiste Onofré <[email protected]> > > wrote: > > > > > > > > > > Hi, > > > > > > > > > > I am currently reviewing the security advisories. I have also > > received > > > > > several inquiries from the community regarding the possibility of a > > new > > > > > 5.18.x release that includes only the latest CVE fixes. > > > > > > > > > > I will begin preparing that release soon. > > > > > > > > > > Regards, > > > > > JB > > > > > > > > > > On Tue, Mar 3, 2026 at 3:13 PM Casey A. Owen via users < > > > > > [email protected]> wrote: > > > > > > > > > > > Hello, > > > > > > > > > > > > Could someone please clarify why the listed CVEs are not > > documented in > > > > the > > > > > > Apache ActiveMQ Classic Security Advisories at > > > > > > https://activemq.apache.org/components/classic/security? > > > > > > > > > > > > Thank you for your prompt attention to this matter, > > > > > > > > > > > > > > > > > > Casey Owen | Sr Applications Analyst > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [email protected] > > > > For additional commands, e-mail: [email protected] > > > > For further information, visit: https://activemq.apache.org/contact > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > For further information, visit: https://activemq.apache.org/contact > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information, visit: https://activemq.apache.org/contact
