3.3.x +1 The branch-3.2 is the latest branch, and the latest version is 3.2.2, it contains functionality improvements, bug fixes, and CVE fixes, if we happen to release a new version based on branch-3.3, why not add this change to it?
Best - Ran Gao On 2024/04/17 17:30:27 Lari Hotari wrote: > I'd not like to do this change for 3.3.x, but the fact is that there's no > support for Jetty 9.4.x . > A new CVE in Jetty 9.4.x could cause a problem to us if the support policy is > actually followed in Jetty and users are forced to upgrade to get the fix. We > just have to tolerate this risk, I guess. > > I agree that 3.3.x release preparations should start and we are already > behind schedule. > It would be great to have BK 4.17.0 in Pulsar 3.3.x since it's not possible > to upgrade GRPC and Protobuf in Pulsar unless that first happens in BK. [1] > > -Lari > > 1 - https://lists.apache.org/thread/s9g6w31vtwzgqf162hhlcr2nx3y68gv5 > > On 2024/04/17 15:40:30 Nicolò Boschi wrote: > > I personally agree with NOT including it in 3.3.x > > > > Following the release policy, it should be time to start preparing the > > 3.3.x branch soon. > > Also I wonder if the release line after 3.3.x will be 4.0, given that > > 3.0 has been released almost 1y ago and the LTS should be cut every 18 > > months. > > Having this upgrade in 4.0 seems like a good move to me. > > > > Nicolò > > > > Il giorno mer 17 apr 2024 alle ore 17:32 Zixuan Liu > > <zix...@apache.org> ha scritto: > > > > > > > do we first release 3.3.x asap and then tackle this upgrade for Pulsar > > > 3.4.x > > > +1 > > > > > > Lari Hotari <lhot...@apache.org> 于2024年4月17日周三 21:57写道: > > > > > > > Hi, > > > > > > > > Pulsar Broker and Pulsar Proxy use Jetty 9.4.x. Jetty 9.4.x has reached > > > > end-of-line already in June 2022. Jetty 9.4.x has been receiving > > > > security > > > > updates until now although it is not officially supported anymore. This > > > > might change soon. That's why we need to start preparing to upgrade to > > > > Jetty 12. > > > > > > > > It is recommended to skip Jetty 10 and Jetty 11 since they are also end > > > > of > > > > support. > > > > More details about this recommendation is in this Jetty GitHub issue > > > > message by the Jetty maintainer: > > > > https://github.com/jetty/jetty.project/issues/11644#issuecomment-2048516903 > > > > . > > > > > > > > Could we target Jetty 12 upgrade for the master branch so that it gets > > > > included in Pulsar 3.3.x ? > > > > Or, do we first release 3.3.x asap and then tackle this upgrade for > > > > Pulsar > > > > 3.4.x? > > > > > > > > -Lari > > > > > > >
