Colin, See comment below.
On Sun, Apr 9, 2023 at 4:53 PM Colin McCabe <cmcc...@apache.org> wrote: > > > > Until this is the case and unless we carry out a Zookeeper version > upgrade we leave users to run on an end-of-life version with unpatched CVEs > addressed in later versions. > > > > Some users have compliance requirements to only run on stable versions > of a software and its dependencies and not keeping the dependencies up to > date renders them unable to use Kafka. > > We are going to deprecate ZK mode soon. So if this is indeed a requirement > (no deprecated software in prod), perhaps those users will have to move to > KRaft mode. (Independently of what we decide here) > Not sure where "no deprecated software in prod" is coming from. The concern is regarding end-of-life software - i.e. software that no longer receives security fixes. If we don't upgrade beyond 3.6.x, we'll be in a tough position when a CVE is fixed only in ZooKeeper 3.7.x, 3.8.x, etc. If it's a serious security problem, then it's likely that an additional release of ZooKeeper 3.6.x might be released. But the more likely case is that a library dependency will have a CVE that will trigger the compliance checks from enterprise users, but not warrant another ZooKeeper 3.6.x release. Ismael
