ring icon indicating copy to clipboard operation
ring copied to clipboard

Published 20 hours ago verified publisher icon ring-clojure

Migrate to Jetty 10/11

Open mcorbin opened this issue 3 years ago • 10 comments

Hello,

The Ring Jetty adapter uses Jetty 9.4.38. Jetty 10 and 11 are available. I would liek to know if you would be interested to migrate to one of these versions. The main difference between 10 and 11 seems to be the renaming of the javax.servlet packages to jakarta.servlet.

I'm not a Jetty expert but I think I can find some time to do the migration if you are interested.

mcorbin avatar Apr 24 '21 09:04 mcorbin

It would mean updating the minimum JVM version from 8 to 11. Are there any benefits to upgrading before 9.4 is officially deprecated?

weavejester avatar Apr 24 '21 17:04 weavejester

The most interesting thing is I think the websocket refactoring (https://webtide.com/jetty-10-and-11-have-arrived/).

mcorbin avatar Apr 24 '21 18:04 mcorbin

9.4.38 also has a serious vulnerability https://nvd.nist.gov/vuln/detail/CVE-2021-28165

iorena avatar Apr 26 '21 07:04 iorena

9.4.38 also has a serious vulnerability https://nvd.nist.gov/vuln/detail/CVE-2021-28165

I'll update to 9.4.40.

weavejester avatar Apr 26 '21 15:04 weavejester

9.4.40 seems to have two vulnerabilities https://nvd.nist.gov/vuln/detail/CVE-2021-28169 https://nvd.nist.gov/vuln/detail/CVE-2021-34428

Juholei avatar Jun 30 '21 09:06 Juholei

FYI, Jetty 9.x Community support ended on 6/1/22, but security updates will continue probably until 2025. See more at https://github.com/eclipse/jetty.project/issues/7958

antonmos avatar Jul 07 '22 19:07 antonmos

I think Jetty will have at least 2 supported stable versions for some time. Perhaps ring could also support all of them. Here is a table with some information on why you should use a version over the other: https://www.eclipse.org/jetty/download.php .

Jetty 10 also comes with servlet 4 API . According to this Java 8 will receive security support until 2026 but no active development: https://endoflife.date/java .

Instead of migration, maybe supporting multiple versions concurrently is better. I imagine they can glue layer is not that big, hence maintenance should not be that difficult.

WDYT?

ieugen avatar Sep 05 '22 20:09 ieugen

If you want to create and maintain a Ring adapter for Jetty 10, then by all means feel free to do so.

weavejester avatar Sep 09 '22 17:09 weavejester

There's already https://github.com/sunng87/ring-jetty9-adapter available (the project name is misleading).

mcorbin avatar Sep 09 '22 17:09 mcorbin

Thanks, I just found the project after James mentioned it just now on slack. Looks pretty sweet.

If ring has the default jetty adapter here, people will feel the impulse to ask for upgrade / features since they are going to use it. If this is mostly a reference implementation maybe this can be mentioned. Eventually a link to good alternatives (like the one above) can also be provided.

Hopefully this will help with managing expectations.

ieugen avatar Sep 09 '22 18:09 ieugen

Supporting loom would be one good reason to upgrade: https://github.com/eclipse/jetty.project/issues/8007

tychedelia avatar Oct 27 '22 22:10 tychedelia