Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify the situation of EoCS and EoL for Jetty-11 #12278

Closed
ansf opened this issue Sep 16, 2024 · 6 comments
Closed

Clarify the situation of EoCS and EoL for Jetty-11 #12278

ansf opened this issue Sep 16, 2024 · 6 comments
Labels
Question

Comments

@ansf
Copy link

ansf commented Sep 16, 2024

Looking at the latest 11.x release, it says "This is a sponsored release for an End of Life version of Jetty".

When I was looking at #10485, my understanding was, that jetty-11 should have reached End of Community Support, but not End of Life. I expected End of Life to be around January 2025.

Also from my understanding, jetty-11 will receive security updates until EoL.

Can be please clarify the situation of EoCS and EoL for Jetty-11, or point my in the right direction, where the current lifecycle of the different version is documented?
@ansf ansf added the Question label Sep 16, 2024
@joakime
Copy link
Contributor

joakime commented Sep 16, 2024

Jetty 11 will continue to get security patches and sponsored releases.

The statement "End of Life" is still correct.
You should be using a supported version of Jetty, which is Jetty 12 at this point in time.

@ansf
Copy link
Author

ansf commented Sep 16, 2024

You should be using a supported version of Jetty, which is Jetty 12 at this point in time.

I agree. However, I try to understand how we should prioritize the task of upgrading.

Jetty 11 will continue to get security patches and sponsored releases.
The statement "End of Life" is still correct.

I do not understand the difference between "End of Community Support" and "End of Life" is. My understanding was, that with EoL security updates will also stop (see #10485).

What I try to understand is: How long will jetty-11 receive security updated?

@joakime
Copy link
Contributor

joakime commented Sep 16, 2024

You should be using a supported version of Jetty, which is Jetty 12 at this point in time.

I agree. However, I try to understand how we should prioritize the task of upgrading.

The minute the announcement is made that any product (not Jetty specific) has started its countdown to EOL is how you prioritize.

Jetty 11 will continue to get security patches and sponsored releases.
The statement "End of Life" is still correct.

I do not understand the difference between "End of Community Support" and "End of Life" is. My understanding was, that with EoL security updates will also stop (see #10485).

"End of Community Support" is unfortunately a term that has little to no weight to people making decisions.
It has no equivalence in any of the existing products that manage dependencies.
It cannot be represented in various auditing tooling metadata for products.
We have come to learn that it is essentially meaningless.

We have started to use "End of Life" as that's the trigger that starts organizations moving away from deprecated versions that they do not have support for.

We really wish there was a way to represent this better, but we have gotten lots of feedback on our use of "End of Community Support" telling us that we should be using "End of Life" instead. (we've had a few even suggest using "End of Service Life" or "End of Support Life" as the next stage after this, when things are truly, 100% done for that version of Jetty. Like what Jetty 8 is now.)

What I try to understand is: How long will jetty-11 receive security updated?

For the community, only as long as there are commercial support contracts for those deprecated versions of Jetty.
Once the last commercial support contract for Jetty 11 expires, that will be the last time Jetty 11 will see a public release for any reason (even security fixes). The statement you saw on the release notes is your indication on why that release was produced.

@ansf
Copy link
Author

ansf commented Sep 16, 2024

I still find it a bit confusing, but this is my current understanding:

  • EoL has no meaning in whether a version still receives security updates or not
  • Whether or not an "EoL" versions still receives updates depends on whether there are still some commercial support contracts running (we do not know when these contracts will end, do we?)

Honestly I think it would help to have two defined states with dates when they each end (at the earliest).

@joakime
Copy link
Contributor

joakime commented Sep 16, 2024

I still find it a bit confusing, but this is my current understanding:

* EoL has no meaning in whether a version still receives security updates or not

* Whether or not an "EoL" versions still receives updates depends on whether there are still some commercial support contracts running (we do not know when these contracts will end, do we?)

No, the contracts are private to the client/company that signs them.
If you look at the long history of Jetty releases, you'll find sponsored releases of long since EOL versions. (even versions that are 5 years past EOSL).

The only meaning EOL has is "this version has stopped updates / development / maintenance, you should upgrade to a supported version. if you need support on this version, get a commercial support contract."
When it reaches EOSL (End of Support Life / End of Service Life) the meaning is "this version has no support option anymore".

Honestly I think it would help to have two defined states with dates when they each end (at the earliest).

The start date is the key thing that makes things complicated here.
The start date has to have a meaning that will trigger the "we need to upgrade" steps.
The tooling around dependency management has nothing that can represent this, only the end date.
The end date is actually undefined for Jetty, simply due to how its commercial support contracts work.

Take Jetty 9 for example, the end date for that is loosely tied to the end date for Java 8 support, which keeps getting pushed back by some parties.

The biggest issue with versioning in Jetty, is that we were (more on this later) tied to the Servlet API releases.

  • Jetty 9 - Servlet 3.1
  • Jetty 10 - Servlet 4
  • Jetty 11 - Servlet 5

That meant a new release of Jetty with the same timing as Servlet releases, far too often!

With Jetty 12, we have separated Jetty core from the servlet dependency. It no longer depends on the servlet API.
Now with Jetty 12, we have environments for each new EE level.

  • ee8 - Servlet 4
  • ee9 - Servlet 5
  • ee10 - Servlet 6.0
  • ee11 - Servlet 6.1 (new in Jetty 12.1.x)

There is no longer a push for a new major version of Jetty with each new ee/servlet version. yay!

The majority of the work on Jetty right now is in Jetty 12.1.x (which adds the ee11 environment and a few new features to 12.0.x, but doesn't change the jetty core or other existing environments).
We expect Jetty 12 will last the test of time and not need major version upgrades for years. (the only thing we can see causing a major update would be a fundamental change in Java or Jakarta EE mandating some kind of intrusive change).

@ansf
Copy link
Author

ansf commented Sep 16, 2024

Thanks for the detailed answer! I have a better understanding of the whole situation now. 👍

@ansf ansf closed this as completed Sep 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joakime @ansf