[
https://issues.apache.org/jira/browse/GEODE-10467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jinwoo Hwang updated GEODE-10467:
---------------------------------
Description:
h2. Summary
Apache Geode 2.0.0 represents a significant modernization effort to address
security vulnerabilities, improve performance, and ensure long-term
sustainability. This major release upgrades core dependencies and runtime
requirements while evaluating deprecated features for potential removal.
h2. Description
Following the successful delivery of version 1.15.2 after a three-year hiatus,
the Apache Geode community is proposing version 2.0.0 as a comprehensive
modernization release. This release focuses on upgrading legacy dependencies,
addressing security concerns, and streamlining the codebase for better
maintainability.
h3. Key Proposed Changes
*Modern Platforms & Frameworks*
* Java 17 LTS
* Jakarta EE 10
* Geode Session Manager for Tomcat 10
* Tomcat 10
* Spring Framework 6
* Spring Security 6
* Gradle 7
* Jetty 12
* Apache Lucene 9
*Runtime and Core Dependencies:*
* Upgrade Java runtime from 1.8 to 17 LTS or 21 LTS (Kishor)
* Upgrade Spring Framework to version 6 or potentially skip to version 7
(Charlie)
* Upgrade Spring Security to version 6
* Migrate from Java EE to Jakarta EE 9
* Upgrade Gradle from version 6 to 7.3.3 for Java 17 toolchain support or 8.4
for Java 21 support
*Supply Chain Security*
* Implement automated Software Bill of Materials (SBOM) generation for Apache
Geode to enhance supply chain security, improve dependency transparency, and
meet modern compliance requirements for enterprise deployments.
*Security*
* Remediate critical security vulnerabilities in third-party dependencies as
well as in Apache Geode
*Security Improvements:*
* Address numerous known vulnerabilities in legacy Java 8
* Resolve CVEs in Spring Framework and Spring Security
* Establish zero-known-vulnerability baseline for current releases
* Remediate any undisclosed security vulnerabilities
*Feature Evaluation and Potential Removals:* Based on community feedback, the
following features are candidates for deprecation/removal:
* *Lucene Integration* - Consider removal due to (Leon/Charlie):
** Feature was never fully completed
** Current implementation uses 6-year-old Lucene version
** Requires significant maintenance effort
** Alternative: Evaluate upgrading to Lucene 9 for vector store capabilities
and KNN indexing support
* *Off-heap Memory* - Consider removal due to (Charlie):
** Difficult for operations teams to monitor effectively
** Original purpose (large heap management under CMS GC) no longer relevant
with modern JVMs
** Pause-less garbage collectors like ZGC provide better alternatives
* *Jetty Integration* - Evaluate current usage and upgrade requirements (Leon)
h3. Benefits
* Enhanced security posture with modern, supported dependencies
* Improved performance through Java 17 optimizations
* Better developer experience with modern language features
* Simplified codebase through removal of deprecated/incomplete features
* Alignment with current industry standards and best practices
* Long-term sustainability and maintainability
h3. Community Impact
This release aims to position Apache Geode for future growth while maintaining
focus on core functionality (gets, puts, listeners) that forms the foundation
of most user implementations.
h2. Acceptance Criteria
* Successfully upgrade Java runtime to 17
* Upgrade Spring Framework and Security to version 6 (or 7)
* Complete Jakarta EE 9 migration
* Update build configuration for Java 17 compatibility
* Evaluate and decide on Lucene, off-heap memory, and Jetty features
* Address all identified security vulnerabilities
* Maintain backward compatibility where feasible
* Update documentation and migration guides
h2. Community Involvement Needed
* *Feedback* on roadmap comprehensiveness and community alignment
* *Reviewers* for pull requests and code changes
* *Contributors* for code, documentation, testing, and architectural decisions
* *Testing* across various deployment scenarios and use cases
This represents a strategic investment in Apache Geode's future, ensuring the
project remains relevant, secure, and performant in the evolving distributed
systems landscape.
was:
h2. Summary
Apache Geode 2.0.0 represents a significant modernization effort to address
security vulnerabilities, improve performance, and ensure long-term
sustainability. This major release upgrades core dependencies and runtime
requirements while evaluating deprecated features for potential removal.
h2. Description
Following the successful delivery of version 1.15.2 after a three-year hiatus,
the Apache Geode community is proposing version 2.0.0 as a comprehensive
modernization release. This release focuses on upgrading legacy dependencies,
addressing security concerns, and streamlining the codebase for better
maintainability.
h3. Key Proposed Changes
*Modern Platforms & Frameworks*
* Java 17 LTS
* Jakarta EE 10
* Tomcat 10
* Spring Framework 6
* Spring Security 6
* Gradle 7
* Jetty
*Runtime and Core Dependencies:*
* Upgrade Java runtime from 1.8 to 17 LTS or 21 LTS (Kishor)
* Upgrade Spring Framework to version 6 or potentially skip to version 7
(Charlie)
* Upgrade Spring Security to version 6
* Migrate from Java EE to Jakarta EE 9
* Upgrade Gradle from version 6 to 7.3.3 for Java 17 toolchain support or 8.4
for Java 21 support
*Supply Chain Security*
* Implement automated Software Bill of Materials (SBOM) generation for Apache
Geode to enhance supply chain security, improve dependency transparency, and
meet modern compliance requirements for enterprise deployments.
*Security*
* Remediate critical security vulnerabilities in third-party dependencies as
well as in Apache Geode
*Security Improvements:*
* Address numerous known vulnerabilities in legacy Java 8
* Resolve CVEs in Spring Framework and Spring Security
* Establish zero-known-vulnerability baseline for current releases
* Remediate any undisclosed security vulnerabilities
*Feature Evaluation and Potential Removals:* Based on community feedback, the
following features are candidates for deprecation/removal:
* *Lucene Integration* - Consider removal due to (Leon/Charlie):
** Feature was never fully completed
** Current implementation uses 6-year-old Lucene version
** Requires significant maintenance effort
** Alternative: Evaluate upgrading to Lucene 9 for vector store capabilities
and KNN indexing support
* *Off-heap Memory* - Consider removal due to (Charlie):
** Difficult for operations teams to monitor effectively
** Original purpose (large heap management under CMS GC) no longer relevant
with modern JVMs
** Pause-less garbage collectors like ZGC provide better alternatives
* *Jetty Integration* - Evaluate current usage and upgrade requirements (Leon)
h3. Benefits
* Enhanced security posture with modern, supported dependencies
* Improved performance through Java 17 optimizations
* Better developer experience with modern language features
* Simplified codebase through removal of deprecated/incomplete features
* Alignment with current industry standards and best practices
* Long-term sustainability and maintainability
h3. Community Impact
This release aims to position Apache Geode for future growth while maintaining
focus on core functionality (gets, puts, listeners) that forms the foundation
of most user implementations.
h2. Acceptance Criteria
* Successfully upgrade Java runtime to 17
* Upgrade Spring Framework and Security to version 6 (or 7)
* Complete Jakarta EE 9 migration
* Update build configuration for Java 17 compatibility
* Evaluate and decide on Lucene, off-heap memory, and Jetty features
* Address all identified security vulnerabilities
* Maintain backward compatibility where feasible
* Update documentation and migration guides
h2. Community Involvement Needed
* *Feedback* on roadmap comprehensiveness and community alignment
* *Reviewers* for pull requests and code changes
* *Contributors* for code, documentation, testing, and architectural decisions
* *Testing* across various deployment scenarios and use cases
This represents a strategic investment in Apache Geode's future, ensuring the
project remains relevant, secure, and performant in the evolving distributed
systems landscape.
> Apache Geode 2.0.0 - Major Modernization Release
> ------------------------------------------------
>
> Key: GEODE-10467
> URL: https://issues.apache.org/jira/browse/GEODE-10467
> Project: Geode
> Issue Type: Task
> Reporter: Jinwoo Hwang
> Assignee: Jinwoo Hwang
> Priority: Major
>
> h2. Summary
> Apache Geode 2.0.0 represents a significant modernization effort to address
> security vulnerabilities, improve performance, and ensure long-term
> sustainability. This major release upgrades core dependencies and runtime
> requirements while evaluating deprecated features for potential removal.
> h2. Description
> Following the successful delivery of version 1.15.2 after a three-year
> hiatus, the Apache Geode community is proposing version 2.0.0 as a
> comprehensive modernization release. This release focuses on upgrading legacy
> dependencies, addressing security concerns, and streamlining the codebase for
> better maintainability.
> h3. Key Proposed Changes
>
> *Modern Platforms & Frameworks*
> * Java 17 LTS
> * Jakarta EE 10
> * Geode Session Manager for Tomcat 10
> * Tomcat 10
> * Spring Framework 6
> * Spring Security 6
> * Gradle 7
> * Jetty 12
> * Apache Lucene 9
> *Runtime and Core Dependencies:*
> * Upgrade Java runtime from 1.8 to 17 LTS or 21 LTS (Kishor)
> * Upgrade Spring Framework to version 6 or potentially skip to version 7
> (Charlie)
> * Upgrade Spring Security to version 6
> * Migrate from Java EE to Jakarta EE 9
> * Upgrade Gradle from version 6 to 7.3.3 for Java 17 toolchain support or
> 8.4 for Java 21 support
> *Supply Chain Security*
> * Implement automated Software Bill of Materials (SBOM) generation for
> Apache Geode to enhance supply chain security, improve dependency
> transparency, and meet modern compliance requirements for enterprise
> deployments.
> *Security*
> * Remediate critical security vulnerabilities in third-party dependencies as
> well as in Apache Geode
> *Security Improvements:*
> * Address numerous known vulnerabilities in legacy Java 8
> * Resolve CVEs in Spring Framework and Spring Security
> * Establish zero-known-vulnerability baseline for current releases
> * Remediate any undisclosed security vulnerabilities
> *Feature Evaluation and Potential Removals:* Based on community feedback, the
> following features are candidates for deprecation/removal:
> * *Lucene Integration* - Consider removal due to (Leon/Charlie):
> ** Feature was never fully completed
> ** Current implementation uses 6-year-old Lucene version
> ** Requires significant maintenance effort
> ** Alternative: Evaluate upgrading to Lucene 9 for vector store capabilities
> and KNN indexing support
> * *Off-heap Memory* - Consider removal due to (Charlie):
> ** Difficult for operations teams to monitor effectively
> ** Original purpose (large heap management under CMS GC) no longer relevant
> with modern JVMs
> ** Pause-less garbage collectors like ZGC provide better alternatives
> * *Jetty Integration* - Evaluate current usage and upgrade requirements
> (Leon)
> h3. Benefits
> * Enhanced security posture with modern, supported dependencies
> * Improved performance through Java 17 optimizations
> * Better developer experience with modern language features
> * Simplified codebase through removal of deprecated/incomplete features
> * Alignment with current industry standards and best practices
> * Long-term sustainability and maintainability
> h3. Community Impact
> This release aims to position Apache Geode for future growth while
> maintaining focus on core functionality (gets, puts, listeners) that forms
> the foundation of most user implementations.
> h2. Acceptance Criteria
> * Successfully upgrade Java runtime to 17
> * Upgrade Spring Framework and Security to version 6 (or 7)
> * Complete Jakarta EE 9 migration
> * Update build configuration for Java 17 compatibility
> * Evaluate and decide on Lucene, off-heap memory, and Jetty features
> * Address all identified security vulnerabilities
> * Maintain backward compatibility where feasible
> * Update documentation and migration guides
> h2. Community Involvement Needed
> * *Feedback* on roadmap comprehensiveness and community alignment
> * *Reviewers* for pull requests and code changes
> * *Contributors* for code, documentation, testing, and architectural
> decisions
> * *Testing* across various deployment scenarios and use cases
> This represents a strategic investment in Apache Geode's future, ensuring the
> project remains relevant, secure, and performant in the evolving distributed
> systems landscape.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
