[
https://issues.apache.org/jira/browse/GEODE-10511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jinwoo Hwang updated GEODE-10511:
---------------------------------
Description:
As part of the Geode 2.0 release preparation, we need to review and update the
LICENSE and NOTICE files to ensure all dependencies and third-party components
are accurately documented before cutting the support branch.
h2. Tasks
h3. 1. License Review Script
Check LICENSE files for:
* Missing dependencies
* Outdated versions
* Dependencies removed since the previous release
h3. 2. Review Dependencies Changes
* Identify any new dependencies added since Geode 1.15.2
* Check if any dependencies were removed and manually verify if stale
references exist in LICENSE or NOTICE files that can be removed
* For new dependencies with Apache 2.0 License, add them to the {{isApache2}}
function in the license_review script
h3. 3. Update Binary Distribution License
If any new 3rd-party .jar files now appear in the binary distribution, update
{{geode-assembly/src/main/dist/LICENSE}} accordingly
h3. 4. Update Source Tree License
If new 3rd-party intellectual property was checked into the source tree (e.g.,
JavaScript libraries, CSS files, etc.), update:
* Root {{LICENSE}} file
* {{geode-assembly/src/main/dist/LICENSE}} file
h3. 5. Review NOTICE File
* Verify all copyright notices are current and accurate
* Ensure all required attributions for third-party components are present
h2. Acceptance Criteria
* All new dependencies are properly documented in LICENSE file(s)
* All removed dependencies have been cleaned up from LICENSE/NOTICE files
* Binary distribution LICENSE is accurate
* Source tree LICENSE includes all checked-in third-party code
* NOTICE file contains all required copyright and attribution notices
* Changes are committed to develop
* Review discussed with community on dev list if any questions arise
h2. Notes
* This should be completed before cutting the support/2.0 branch
* This is a critical step for Apache compliance and release approval
was:
h2. Summary
Apache Geode 2.0.0 represents a significant modernization effort to address
security vulnerabilities, improve performance, and ensure long-term
sustainability. This major release upgrades core dependencies and runtime
requirements while evaluating deprecated features for potential removal.
h2. Description
Following the successful delivery of version 1.15.2 after a three-year hiatus,
the Apache Geode community is proposing version 2.0.0 as a comprehensive
modernization release. This release focuses on upgrading legacy dependencies,
addressing security concerns, and streamlining the codebase for better
maintainability.
h3. Key Proposed Changes
*Modern Platforms & Frameworks*
* Java 17 LTS
* Jakarta EE 10
* Geode Session Manager for Tomcat 10.1 and 11
* Tomcat 10.1 and 11 Support
* Spring Framework 6
* Spring Security 6
* Gradle 7
* Jetty 12
* Apache Lucene 9
* Apache HTTP 5
*Runtime and Core Dependencies:*
* Upgrade Java runtime from 1.8 to 17 LTS or 21 LTS (Kishor)
* Upgrade Spring Framework to version 6 or potentially skip to version 7
(Charlie)
* Upgrade Spring Security to version 6
* Migrate from Java EE to Jakarta EE 10
* Upgrade Gradle from version 6 to 7.3.3 for Java 17 toolchain support or 8.4
for Java 21 support
*Supply Chain Security*
* Implement automated Software Bill of Materials (SBOM) generation for Apache
Geode to enhance supply chain security, improve dependency transparency, and
meet modern compliance requirements for enterprise deployments.
*Security*
* Remediate critical security vulnerabilities in third-party dependencies as
well as in Apache Geode
*Security Improvements:*
* Address numerous known vulnerabilities in legacy Java 8
* Resolve CVEs in Spring Framework and Spring Security
* Establish zero-known-vulnerability baseline for current releases
* Remediate any undisclosed security vulnerabilities
*Feature Evaluation and Potential Removals:* Based on community feedback, the
following features are candidates for deprecation/removal:
* *Lucene Integration* - Consider removal due to (Leon/Charlie):
** Feature was never fully completed
** Current implementation uses 6-year-old Lucene version
** Requires significant maintenance effort
** Alternative: Evaluate upgrading to Lucene 9 for vector store capabilities
and KNN indexing support
* *Off-heap Memory* - Consider removal due to (Charlie):
** Difficult for operations teams to monitor effectively
** Original purpose (large heap management under CMS GC) no longer relevant
with modern JVMs
** Pause-less garbage collectors like ZGC provide better alternatives
* *Jetty Integration* - Evaluate current usage and upgrade requirements (Leon)
h3. Benefits
* Enhanced security posture with modern, supported dependencies
* Improved performance through Java 17 optimizations
* Better developer experience with modern language features
* Simplified codebase through removal of deprecated/incomplete features
* Alignment with current industry standards and best practices
* Long-term sustainability and maintainability
h3. Community Impact
This release aims to position Apache Geode for future growth while maintaining
focus on core functionality (gets, puts, listeners) that forms the foundation
of most user implementations.
h2. Acceptance Criteria
* Successfully upgrade Java runtime to 17
* Upgrade Spring Framework and Security to version 6 (or 7)
* Complete Jakarta EE 9 migration
* Update build configuration for Java 17 compatibility
* Evaluate and decide on Lucene, off-heap memory, and Jetty features
* Address all identified security vulnerabilities
* Maintain backward compatibility where feasible
* Update documentation and migration guides
h2. Community Involvement Needed
* *Feedback* on roadmap comprehensiveness and community alignment
* *Reviewers* for pull requests and code changes
* *Contributors* for code, documentation, testing, and architectural decisions
* *Testing* across various deployment scenarios and use cases
This represents a strategic investment in Apache Geode's future, ensuring the
project remains relevant, secure, and performant in the evolving distributed
systems landscape.
> Review and Update LICENSE and NOTICE Files for Apache Geode 2.0 Release
> -----------------------------------------------------------------------
>
> Key: GEODE-10511
> URL: https://issues.apache.org/jira/browse/GEODE-10511
> Project: Geode
> Issue Type: Task
> Reporter: Jinwoo Hwang
> Assignee: Jinwoo Hwang
> Priority: Major
> Fix For: 2.0.0
>
>
> As part of the Geode 2.0 release preparation, we need to review and update
> the LICENSE and NOTICE files to ensure all dependencies and third-party
> components are accurately documented before cutting the support branch.
> h2. Tasks
> h3. 1. License Review Script
> Check LICENSE files for:
> * Missing dependencies
> * Outdated versions
> * Dependencies removed since the previous release
> h3. 2. Review Dependencies Changes
> * Identify any new dependencies added since Geode 1.15.2
> * Check if any dependencies were removed and manually verify if stale
> references exist in LICENSE or NOTICE files that can be removed
> * For new dependencies with Apache 2.0 License, add them to the
> {{isApache2}} function in the license_review script
> h3. 3. Update Binary Distribution License
> If any new 3rd-party .jar files now appear in the binary distribution, update
> {{geode-assembly/src/main/dist/LICENSE}} accordingly
> h3. 4. Update Source Tree License
> If new 3rd-party intellectual property was checked into the source tree
> (e.g., JavaScript libraries, CSS files, etc.), update:
> * Root {{LICENSE}} file
> * {{geode-assembly/src/main/dist/LICENSE}} file
> h3. 5. Review NOTICE File
> * Verify all copyright notices are current and accurate
> * Ensure all required attributions for third-party components are present
> h2. Acceptance Criteria
> * All new dependencies are properly documented in LICENSE file(s)
> * All removed dependencies have been cleaned up from LICENSE/NOTICE files
> * Binary distribution LICENSE is accurate
> * Source tree LICENSE includes all checked-in third-party code
> * NOTICE file contains all required copyright and attribution notices
> * Changes are committed to develop
> * Review discussed with community on dev list if any questions arise
> h2. Notes
> * This should be completed before cutting the support/2.0 branch
> * This is a critical step for Apache compliance and release approval
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
