Your second point at least was entirely clear, I simply disagree with it. That we could decide to do something differently/opposing at some future point, does not mean that a particular thing does not exist. EOL exists, LTS exists. That we could (but typically do not) in theory begin / end / change such status at any point if we wanted, even in total contrast with a prior decision, does not mean that status doesnt exist.
Users sitting out on old and unsupported versions when they shouldnt is completely a thing, e.g such as those now contacting you directly a year after you announced 5.18.7 ended its support. It's generally a bad thing (e.g they've missed a year of dependency CVE updates) and certainly not something to be encouraged. Telling such folks that 'EOL does not exist' (even though we announced it), and thereby suggesting that it is actually ok to stay on such old unsupported versions because 'we could change our mind at any time' (but typically do not), does not seem at all helpful to them specifically or to the wider user base as a whole. Quite the opposite in my opinion. Robbie On Thu, 5 Mar 2026 at 20:45, Jean-Baptiste Onofré <[email protected]> wrote: > > Sorry if my "call" was confusing. > > My point was: > 1. Are we ok for a release (preparing the release just in case by cherry > picking the related commits) > 2. EOL doesn't exist because it can be changed at any time, with consensus > from the community. We announce EOL, LTS, ... but that can be changed on > community consensus. > > So, again, if my messages were not clear, sorry about that. > > All we are doing is for the good of the community, providing the best user > and contributor experience. Positivity and discussion are always welcome. > > Anyway, I will discuss with the users to encourage them to update to 5.19.x. > > Thanks > Regards > JB > > > On Thu, Mar 5, 2026 at 12:17 PM Robbie Gemmell <[email protected]> > wrote: > > > I think that seems a bit of a post-statement-reversal stretch to be > > honest. In the specific context where you were 'asked about > > possibility of a new 5.18.x release', intent of doing a release is > > implicit in the statement that you would 'prepare that release'. Doing > > a release was the item of discussion, not just a branch with some more > > commits added to it, which would seem a superfluous operation if you > > actually had no thought to release what you just prepared. > > > > EOL absolutely exists on ASF projects; when we explicitly announce > > that we are not going to release it in future and users need to get > > off it, and we remove it from the download page because it has been > > dropped from support, and we then dont release it at points it would > > have been if still supported whilst actually releasing other supported > > versions at those times (all of these being the case for 5.18.x for > > the past year), that is EOL. The download page actually contains that > > very description of it which you merged: "Deprecated: Reached > > end-of-life and is no longer maintained. Deprecated versions do not > > receive updates. Not recommended for new deployments; users are > > encouraged to upgrade to a stable version for ongoing support." > > > > Yes, like most decisions we could absolutely reverse such decisions if > > it were raised and discussed (e.g such as in a thread like this) and > > actually thought to make sense not to follow the previously discussed > > path on the matter (so, less like this thread that time). > > > > Robbie > > > > On Thu, 5 Mar 2026 at 15:17, Jean-Baptiste Onofré <[email protected]> wrote: > > > > > > Preparing the release is cherry-picking the fixes (which I did). > > > I didn't say I will submit the release to vote. > > > > > > It's also the reason that we discuss on the mailing list. It's a > > community > > > decision. > > > If the community is ok with a release, we can consider it (EOL doesn't > > > really exist on ASF projects, as we can always submit a release on very > > old > > > branches if it's a community call). > > > > > > It seems we have a consensus to "push" for 5.19.x, I'm fine with that. > > > > > > Regards > > > JB > > > > > > On Thu, Mar 5, 2026 at 10:04 AM Robbie Gemmell <[email protected] > > > > > > wrote: > > > > > > > You did also say you were going to prepare a release soon. > > > > > > > > Users can certainly ask (though it would be nice if they did it on the > > > > list, so discussion could take place for any other users to see), > > > > though that doesnt mean it actually makes sense to do. A year past an > > > > announced and effective EOL seems clearly not to, especially when > > > > there is little if any barrier to upgrading to the year-old > > > > replacement stream. > > > > > > > > Robbie > > > > > > > > On Thu, 5 Mar 2026 at 14:09, Jean-Baptiste Onofré <[email protected]> > > wrote: > > > > > > > > > > Hi > > > > > > > > > > I just shared that I got some requests from users. I'm trying to > > convince > > > > > them to upgrade to 5.19.x (which is very close to 5.18.x and include > > the > > > > > fixes already). > > > > > > > > > > Let me try to convince these users to upgrade to 5.19.x. > > > > > > > > > > Regards > > > > > JB > > > > > > > > > > On Thu, Mar 5, 2026 at 8:17 AM Robbie Gemmell < > > [email protected]> > > > > > wrote: > > > > > > > > > > > Not really seeing how releasing 5.18.x makes sense a year after > > saying > > > > > > it was no longer supported with the 5.18.7 release (after 5.19.0), > > > > > > removing it from the download page at that time, and having not > > > > > > released the stream since (e.g for any of the dependency CVE fixes > > in > > > > > > that time) whilst all the other streams have had multiple releases > > or > > > > > > even been superceded and dropped themselves? > > > > > > > > > > > > Seems especially odd given 5.18.x and 5.19.x have pretty similar > > > > > > supportability/requirements which is why it was dropped. I'm pretty > > > > > > sure I even recall seeing some initial discussion of late about > > when > > > > > > to drop 5.19.x. > > > > > > > > > > > > It will also still be marked as being affected by CVE-2025-66168 by > > > > > > scanners even if it contains the fix, since the version details > > just > > > > > > announced for that CVE included everything before 5.19.2. > > > > > > > > > > > > Is 5.18.x EOL or not? > > > > > > > > > > > > Robbie > > > > > > > > > > > > On Tue, 3 Mar 2026 at 21:55, Jean-Baptiste Onofré <[email protected] > > > > > > > wrote: > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > I am currently reviewing the security advisories. I have also > > > > received > > > > > > > several inquiries from the community regarding the possibility > > of a > > > > new > > > > > > > 5.18.x release that includes only the latest CVE fixes. > > > > > > > > > > > > > > I will begin preparing that release soon. > > > > > > > > > > > > > > Regards, > > > > > > > JB > > > > > > > > > > > > > > On Tue, Mar 3, 2026 at 3:13 PM Casey A. Owen via users < > > > > > > > [email protected]> wrote: > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > Could someone please clarify why the listed CVEs are not > > > > documented in > > > > > > the > > > > > > > > Apache ActiveMQ Classic Security Advisories at > > > > > > > > https://activemq.apache.org/components/classic/security? > > > > > > > > > > > > > > > > Thank you for your prompt attention to this matter, > > > > > > > > > > > > > > > > > > > > > > > > Casey Owen | Sr Applications Analyst > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail: [email protected] > > > > > > For additional commands, e-mail: [email protected] > > > > > > For further information, visit: > > https://activemq.apache.org/contact > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [email protected] > > > > For additional commands, e-mail: [email protected] > > > > For further information, visit: https://activemq.apache.org/contact > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > For further information, visit: https://activemq.apache.org/contact > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information, visit: https://activemq.apache.org/contact
