Java 17 Upgrade Announcement
Introduction
Nevis upgrades the runtime of all Java-based components from Java 8 to Java 17. The support of Java 17 is a major change with significant technological differences. We are committed to make the upgrade process as smooth as possible for all customers. For this reason, we will adjust the regular life cycle of the following Nevis releases.
What does this mean?
- We will release the first Nevis rolling release version with Java 17 in November 2023.
- We extend the life cycle of the August 2023 rolling release with Java 8 to facilitate the upgrade to Java 17.
- There will be no LTS-23 release in November 2023.
- We will release the first Nevis long-term support version with Java 17 in May 2024.
Java 17 is the latest released long-term support (LTS) version of Java. Nevis components will benefit from various improvements, security enhancements, and bug fixes that come with the upgrade to Java 17.
Do not hesitate to consult your Nevis Value Added Reseller if you have questions about how to plan and implement the Nevis upgrade to Java 17.
Rolling Release (RR)
We will release the first Nevis rolling release version with Java 17 in November 2023.
Rolling Release (RR-Aug-23) with Java 8
To facilitate customers on RR cycle for the major Nevis upgrade from Java 8 to Java 17, we provide a RR version in August 2023 with an extended support period compared to regular RR releases. This version will have a total life cycle of 16 months:
- Three months of full support according to Nevis life cycle. After the initial release in August 2023, no new features will be added. New features will only be released on future RR with Java 17 starting in November 2023.
- Nine months of maintenance support. This will include functional and security fixes on the August 2023 RR branch in November 2023, February 2024, and May 2024. This type of support is not customary for the RR cycle and is given especially for the August 2023 rolling release.
- Four months of fade-out support according to Nevis life cycle.
The August 2023 RR with an extended life cycle gives customers on RR cycle one year to plan and implement the upgrade from Java 8 to a Nevis RR with Java 17.
The Nevis life cycle of all other rolling releases remains unchanged.
Long-Term Support (LTS)
We will release the first Nevis long-term support version with Java 17 in May 2024.
There will be no Nevis LTS release in November 2023.
Long-Term Support (LTS-19)
The Nevis life cycle for LTS-19 remains unchanged.
Long-Term Support (LTS-21)
The full support is extended by six months to provide security and functional fixes for LTS-21 until the LTS-24 is released.
Except for this extension, the Nevis life cycle for LTS-21 remains unchanged.
Long-Term Support (LTS-24)
We will release the first Nevis long-term support version with Java 17 in May 2024. The regular Nevis LTS release cycle is shifted by six months. Starting in May 2024, LTS versions will be released every second year in May. The next LTS release after LTS-24 is scheduled to be on May 2026.
The LTS-24 will be based on the February 2024 version and hence will benefit from improved stability and incorporated feedback experience with Java 17 from two quarterly RR release cycles. The May 2024 LTS release gives customers on LTS-21 18 months with extended life support (ELS) and six months without ELS to plan and implement the upgrade from Java 8 to Nevis LTS-24 with Java 17. In addition, there is the option to start preliminary development and testing (for example, for custom AuthStates) already with the November 2023 RR version as it will be the basis of LTS-24.
The LTS-24 life cycle will have two years of full support and one year of maintenance support. Regrettably, we will not offer extended life support (ELS) for LTS-24 beyond this three-year period, prioritizing the delivery of a secure experience for our users. This decision is based on previous experiences with LTS-19 and LTS-21, where we found maintaining updated, secure third-party libraries becomes significantly challenging after three years.
Java 8 Security Fix Limitations
Nevis components depend on various 3rd party (open-source) libraries. 3rd party dependencies used in August 2023 RR and LTS-21 with Java 8 may run end-of-life and not get any further updates during the Nevis maintenance support life cycles.
Security fixes are provided for vulnerabilities that can be fixed by upgrading to a newer (minor or patch) version of 3rd party dependencies.
For releases still with Java 8, Nevis will investigate on a case-by-case basis how to proceed upon vulnerabilities detected in used 3rd party dependencies which are end-of-life:
- For dependencies that offer commercial support beyond the end-of-life date, Nevis will consider buying commercially released newer library versions, including security fixes for the remaining maintenance life cycle.
- For dependencies without commercial support beyond the end-of-life date, Nevis will upgrade to a new major version of the library or an alternative library, which potentially could cause a breaking change in the LTS release cycle.
- For dependencies without newer versions fixing a vulnerability, in exceptional cases, Nevis might be able to fork the library and provide a patch strictly for the duration of the life cycle.
- For the vulnerabilities in 3rd party dependencies that are end-of-life Nevis might be able to provide workarounds to prevent exploiting vulnerabilities but cannot always guarantee a security fix.