https://github.com/apache/pulsar/pull/24364
---
# PIP-421: Require Java 17 as the minimum for Pulsar Java client SDK
# Context
Currently, Pulsar requires Java 17 for the server side components and Java
8 for the client SDK and the
client admin SDK.
For the server side components the change was done in PIP-156 [1] in April
2022. At the time it was
deemed too early and not necessary to require Java 17 for client SDK as
well.
There has been a discussion in February 2023 as well [2] where the
consensus still was to keep supporting Java 8.
# Motivation
Since the previous discussions, there have been several changes in the Java
& Pulsar world:
1. Java 8 has been out of premier support for 3 years already [3] and its
usage has been drastically decreasing
over the years, from 85% in 2020, 40% in 2023 and 23% in 2024 [4]. All
indicate that by 2028, usage of Java 8
will be negligible.
2. Java 17 LTS was released ~4 years ago, and it's quite widely adopted in
Java production environments,
along with Java 21 LTS.
3. Pulsar introduced the concept of LTS release which does get support for
2-3 years. This means that a change
we make now will not really affect users sooner than the current LTS
goes out of the support window.
## Issues with dependencies
Many popular Java libraries have started switching to requiring Java >= 11
or >= 17. This is posing
a real problem because we are stuck into old and unsupported versions. When
there is a CVE flagged
in these dependencies, we don't have any way to upgrade to a patched
version.
Non-exhaustive set of libraries requiring Java >= 11:
* Jetty 12 - We are currently using Jetty 9.x, which is completely
unsupported at this point and
there are active CVEs in the version we use.
* Jersey 3.1 - In order to upgrade to Jetty 12, we'd need to upgrade
Jersey as well.
* Jakarta APIs - All new APIs for WS and Rest require Java 11.
* AthenZ - This is an optional dependency for authentication, though all
new versions require Java 17.
There are certainly more dependencies we are using today that have already
switched new versions
to Java 17. This will pose a growing risk for the near future.
### Why Java 17 instead of jumping to 11
The assumption is that the vast majority of Java users have made migrations
directly from 8 to 17. Java 11
has already stopped the premier support, so there would be no strong reason
to settle on 11.
# Changes
1. From Pulsar 4.1, require Java >= 17 for all client modules
2. Pulsar 4.0 will continue with the current status of requiring Java 8
for clients. This will give an
additional 3 years for users that are stuck on Java 8, up to 2028.
3. If there is still interest in supporting Java 8 client after 2028, we
would still be able to have extra
releases for the 4.0 branch to address issues, security fixes. Although
we need to be aware that it
might be very hard to patch all vulnerabilities reported in
dependencies at that point.
## Rejected alternatives
Technically, we could upgrade these dependencies and only require Java 17
for `pulsar-client-admin` and Java 8 for
`pulsar-client`. While this option might offer a wider compatibility today,
it would introduce further confusion
on which Java is required for which component, which I don't believe is
worth the effort.
# Links
* [1] PIP-156 (Build and Run Pulsar Server on Java 17)
https://github.com/apache/pulsar/issues/15207
* [2] Mailing list discussion
https://lists.apache.org/thread/cryoksz7n2066lzdcmhk9jy322lvh11t
* [3] Java support and EOL timeline: https://endoflife.date/oracle-jdk
* [4] NewRelic report on Java ecosystem
https://newrelic.com/resources/report/2024-state-of-the-java-ecosystem
--
Matteo Merli
<mme...@apache.org>
