The Spring project has announced that Spring Security 5.8.x and Spring Framework 5.3.x will be end of life on August 31, 2024 <https://spring.io/blog/2024/03/01/support-timeline-announcement-for-spring-framework-6-0-x-and-5-3-x>. Jenkins currently uses Spring Security 5.8.x and Spring Framework 5.3.x.
Jenkins needs to upgrade to Spring Security 6.x. Spring Security 6.x in Jenkins requires: - Spring Framework 6.x which requires Java 17 and Jakarta EE 9 <https://github.com/spring-projects/spring-framework/wiki/Spring-Framework-Versions#jdk-version-range> When Jenkins transitions from Jakarta EE 8 to Jakarta EE 9, we'll also need to use: - Jetty 12 - Apache file uploader 2.x Given the size of that change and its dependency on Java 17 as a minimum Jenkins version, I think that we want to switch Jenkins to require Java 17 as soon as possible after the last Java 11 LTS baseline is selected. *Proposed Timeline* - 26 Jun 2024 - Choose LTS baseline for last LTS to support Java 11 - 3 Jul 2024 - Require Java 17 in Jenkins weekly release - 7 Aug 2024 -Last LTS.1 release to support Java 11 (likely 2.464.1) - 31 Aug 2024 Spring Security 5.8.x public support ends - 18 Sep 2024 - Choose LTS baseline to require Java 17 - 2 Oct 2024 - Last LTS.3 to support Java 11 - 30 Oct 2024 - First LTS.1 to require Java 17 (likely 2.476.1) Basil prototyped the Jakarta EE 9 upgrade in August 2023. The prototype showed that the bridge method injector may help with the transition. The prototype showed that there is a lot of work to be done in order to upgrade Spring Security in Jenkins from 5.x to 6.x I noted the timeline because I had initially assumed that we would transition Jenkins weekly to require Java 17 in late August or early September 2024. Based on the large amount of work that is needed for the Spring Security upgrade from 5.x to 6.x, I think that we should require Java 17 the week after we've selected the baseline for the final LTS line that will support Java 11. If you're willing to help with the Spring Security upgrade project, I'd love to have you respond to this email message. If you have strong objections to the timeline, please respond with your concerns. I will share more details as I learn more. Thanks, Mark Waite -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/4a260cec-dbe4-4b63-a9e6-7c17ebcbfaebn%40googlegroups.com.
