Russ, Thanks for the reply. As mentioned initially, NiFi 2.0.0 has had four milestone releases, with 2.0.0-M1 almost one year ago [1]. Taking a year for the release of 2.0.0 reflects a strong commitment to the security and stability of the project.
The list of Deprecated Components and Features [2] has also grown steadily as the community has made progress on the release of 2.0.0. The statements you highlighted are really two sides of the same fundamental consideration. End-of-life means no future updates. As stated, this is more of a recognition of the current dependency landscape, as opposed to a decision on its own. As with all Apache projects, the source code will continue to remain available, and some vendors may provide future support for older versions. This is the case with several of the dependencies listed. Declaring a version line end-of-life means that the community is not in a position to provide ongoing support for future releases of that version series. Regards, David Handermann [1] https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version2.0.0-M1 [2] https://cwiki.apache.org/confluence/display/NIFI/Deprecated+Components+and+Features On Mon, Nov 4, 2024 at 3:27 PM Russell Bateman <r...@windofkeltia.com> wrote: > > Folks, > > I understand the assertions based on Spring, Jetty and Angular. Those > are what they are. And no new features are fine by me. Deprecation of > existing or cautionary features are fine by me. > > However, I'm going to have trouble convincing my management to continue > considering NiFi in our product when I reveal to them that one scant > week has elapsed since the last version (1.28.0), but that now the whole > product's reached end-of-life. It seems a strong indictment of Apache > NiFi to drop 2.0.0 only to say on the same day that there's no grace > period for users to adopt a /major version dot 0/. While I may not > myself have been paying serious enough attention to NiFi 2 (except to > install and run it for some time now to make certain of no surprises), I > feel like rev'ing 1.25.0's third number a couple of dozen (so, for > nearly a full year) might have delivered more the message, "get quickly > off 1.x 'cause it's dead by year's end." Even with a year's notice, we'd > have a struggle to get our customers off of 1.x. > > Maybe it's just that the message needs more palatable crafting? > > "As we cannot provide security support for NiFi 1.x, [we] should > discontinue accepting patches for bug fixes." (I can spin that) > > "I propose November 30, *2024* as the official date for declaring > NiFi 1.x at end of life." (frightening way to say this) > > I could have spent a little more time thinking about this and crafting > my contribution to this discussion, but I hope I'm making my point usefully. > > Russ Bateman > > > On 11/4/24 13:44, David Handermann wrote: > > Team, > > > > Following the four milestone versions and the general availability of > > NiFi 2.0.0, we should determine the timing to discontinue support for > > NiFi 1. > > > > Although this comes right after the release of NiFi 2.0.0, the reality > > is that that support branch already has several fundamental > > dependencies that are no longer supported. These unsupported core > > dependencies include: > > > > - Spring 5 as of 2024-08-31 [1] > > - Jetty 9.4 as of 2022-06-01 [2] > > - Angular 1.8 as of 2021-12-01 [3] > > > > [1]https://endoflife.date/spring-framework > > [2]https://endoflife.date/eclipse-jetty > > [3]https://endoflife.date/angularjs > > > > There are other component dependencies to consider, but the above > > dependencies are important because they are foundational to the > > application. The last open source version of Spring 5.3 already has > > one associated CVE, and although it does not impact NiFi directly, it > > is just one of a growing number of security issues that cannot be > > resolved. > > > > As we cannot provide security support for NiFi 1, which should > > discontinue accepting patches for bug fixes. > > > > Although it may be worth considering one more patch-level release as > > 1.28.1 before declaring NiFi 1 EOL, we should not consider any new > > features. > > > > To move the discussion in a concrete direction, I propose November 30, > > 2024 as the official date for declaring NiFi 1 EOL. > > > > Regards, > > David Handermann
