Migrate to Jetty 12
Description
Environment
is blocked by
Activity
Guus der Kinderen November 8, 2024 at 1:58 PM
The Jetty team indicated that EE8 will continue to be supported in future versions.
Guus der Kinderen November 8, 2024 at 1:51 PM
We’ve weighed using EE8 (javax namespace) vs EE10 (jakarta namespace) in a couple of ways:
plugin compatibility: we’re assuming that using EE10 introduces compatibility issues
feature-richness: more and more bits modern browser functionality will not be compatible with EE8. Certain EE8-provided features may no longer be supported by modern browsers
Openfire dependencies (two-fold): 1. Updates for certain dependencies may require
jakartanamespaces. 2. For some dependencies, nojakaratacompatible updates may be availableFeedback from Jetty developers: https://www.eclipse.org/lists/jetty-dev/msg03743.html
I believe that our dependencies shouldn't be a blocker to stick with EE8. We have not identified anything major (no important dependencies that we want to upgrade, but cannot because of EE8) I can't see how with more analysis, we could get further on that than we are today. Based on the availability of dependencies, we could go with either EE8 and EE10, if we'd want to.
With regards to browser-provided functionality and compatibility with EE8 or more modern EE's: I expect that browser vendors will be looking to retain backwards compatibility, at least with regards to basic functionality that we're using in Openfire. I'm not to worried about 'loosing' functionality (if we'd stick with EE8). Even if that would affect Openfire, it likely only affects non-core functionality - something we may want to sacrifice. My bigger concern is that with EE8, we wouldn't be able to use a new, important security feature (or somesuch).
In my opinion: EE8 could introduce problems in the future, the time and impact of which being unknown, while going with EE10 (although making us more future-proof) is sure to cause a lot of overhead and compatibility problems today - while it's not addressing any important issue that we know to exist today.
It’s worth looking at this specifically from a security angle: it can be argued that going with EE10 gives us a more future-proofed platform from a security perspective. However, that’s somewhat theoretical. We’re not aware of any existing security issues, and future issues may very well be mitigable without moving to EE10. We are making good security improvements anyway (by virtue of upgrading to the maintained version of Jetty).
Choosing for EE8 now doesn’t prevent us from moving to EE10 (or later) in the future, so there’s always that possibility to deal with future problems. For now, I’m happy to commit to EE8.
Details
Assignee
Guus der KinderenGuus der KinderenReporter
Guus der KinderenGuus der KinderenFix versions
Priority
Major
Details
Details
Assignee
Guus der KinderenReporter
Guus der KinderenFix versions
Priority
Major
Update to Jetty 11 12 (or later) for continued support.
Jetty 11 (and later) have switched to the JakartaEE namespace, which is a breaking change. Read more about this in https://www.eclipse.org/lists/jakartaee-platform-dev/msg00029.html
A very helpful discussion was had with Jetty community members in https://github.com/jetty/jetty.project/issues/10871 . Please refer to this for more background information.
Jetty 12 (re)introduces support for EE8, which uses the old namespace. To be clear, using Jetty 12 allows us either the old or the new namespace. We’ll need to figure out the pro’s and cons of each, but not being required to update all kinds of dependencies because of the switch to the Jakarta namespace is appealing. On the other hand, we might use dependencies that require Jakarta.
In any case, Jetty 12 required Java 17, which means that Openfire needs to bump its minimum Java requirement (which is at Java 11 for Openfire 4.9).