+1 (binding) Thanks Yubiao Feng
On Fri, Jun 20, 2025 at 3:38 AM Matteo Merli <mme...@apache.org> wrote: > https://github.com/apache/pulsar/pull/24364 > > --- > > # PIP-421: Require Java 17 as the minimum for Pulsar Java client SDK > > # Context > > Currently, Pulsar requires Java 17 for the server side components and Java > 8 for the client SDK and the > client admin SDK. > > For the server side components the change was done in PIP-156 [1] in April > 2022. At the time it was > deemed too early and not necessary to require Java 17 for client SDK as > well. > > There has been a discussion in February 2023 as well [2] where the > consensus still was to keep supporting Java 8. > > # Motivation > > Since the previous discussions, there have been several changes in the Java > & Pulsar world: > > 1. Java 8 has been out of premier support for 3 years already [3] and its > usage has been drastically decreasing > over the years, from 85% in 2020, 40% in 2023 and 23% in 2024 [4]. All > indicate that by 2028, usage of Java 8 > will be negligible. > 2. Java 17 LTS was released ~4 years ago, and it's quite widely adopted in > Java production environments, > along with Java 21 LTS. > 3. Pulsar introduced the concept of LTS release which does get support for > 2-3 years. This means that a change > we make now will not really affect users sooner than the current LTS > goes out of the support window. > > > ## Issues with dependencies > > Many popular Java libraries have started switching to requiring Java >= 11 > or >= 17. This is posing > a real problem because we are stuck into old and unsupported versions. When > there is a CVE flagged > in these dependencies, we don't have any way to upgrade to a patched > version. > > Non-exhaustive set of libraries requiring Java >= 11: > > * Jetty 12 - We are currently using Jetty 9.x, which is completely > unsupported at this point and > there are active CVEs in the version we use. > * Jersey 3.1 - In order to upgrade to Jetty 12, we'd need to upgrade > Jersey as well. > * Jakarta APIs - All new APIs for WS and Rest require Java 11. > * AthenZ - This is an optional dependency for authentication, though all > new versions require Java 17. > > There are certainly more dependencies we are using today that have already > switched new versions > to Java 17. This will pose a growing risk for the near future. > > ### Why Java 17 instead of jumping to 11 > > The assumption is that the vast majority of Java users have made migrations > directly from 8 to 17. Java 11 > has already stopped the premier support, so there would be no strong reason > to settle on 11. > > # Changes > > 1. From Pulsar 4.1, require Java >= 17 for all client modules > 2. Pulsar 4.0 will continue with the current status of requiring Java 8 > for clients. This will give an > additional 3 years for users that are stuck on Java 8, up to 2028. > 3. If there is still interest in supporting Java 8 client after 2028, we > would still be able to have extra > releases for the 4.0 branch to address issues, security fixes. Although > we need to be aware that it > might be very hard to patch all vulnerabilities reported in > dependencies at that point. > > ## Rejected alternatives > > Technically, we could upgrade these dependencies and only require Java 17 > for `pulsar-client-admin` and Java 8 for > `pulsar-client`. While this option might offer a wider compatibility today, > it would introduce further confusion > on which Java is required for which component, which I don't believe is > worth the effort. > > # Links > > * [1] PIP-156 (Build and Run Pulsar Server on Java 17) > https://github.com/apache/pulsar/issues/15207 > * [2] Mailing list discussion > https://lists.apache.org/thread/cryoksz7n2066lzdcmhk9jy322lvh11t > * [3] Java support and EOL timeline: https://endoflife.date/oracle-jdk > * [4] NewRelic report on Java ecosystem > https://newrelic.com/resources/report/2024-state-of-the-java-ecosystem > > > > > -- > Matteo Merli > <mme...@apache.org> > -- This email and any attachments are intended solely for the recipient(s) named above and may contain confidential, privileged, or proprietary information. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reproduction of this information is strictly prohibited. If you have received this email in error, please notify the sender immediately by replying to this email and delete it from your system.
