Long-Term Support (LTS) for Quarkus

[giscus[bot]]

Long-Term Support (LTS) for Quarkus

Quarkus: Supersonic Subatomic Java

https://quarkus.io/blog/lts-releases/

[liupu9]

LTS YYDS!

[harrypooni]

LTS should be at least 2 years support before migrating to a new version, why is the current LTS period so short?

[rxcorreia]

Any plans to extend the LTS support period? 1 year is quite challenging, specially if you are handling a large repo with many individual microservices.
We are currently migrating from a 2.x codebase and the effort has been significant.
Repeating it in a few months when 3.2 support ends would not be something we'd like to be doing...

[nbogdand]

If i want to update to a new LTS version, currently 3.8.3 (from 3.2.6.Final) how can I do it?
I've tried with "quarkus update" or "mvn io.quarkus.platform:quarkus-maven-plugin:3.8.3:update -N", but they both install the 3.9.1 version

[mbuchner]

Had the same issue -> check this doc: https://quarkus.io/guides/update-quarkus

mvn quarkus:update -Dstream=3.8

[gsmet]

Actually, that's funny you ask that now as we recently talked about it. We should definitely have a flag that keeps you on the latest LTS.

[svifred]

@gsmet I don't see the flag for latest LTS in the CLI, and I cannot find an issue referencing this as a future option. Is an LTS flag still planned? :)

[antoinedkt]

Question on LTS Security Patching Policy - Critical Vulnerabilities

👋 Hello Quarkus team,

We're currently using the latest Quarkus LTS version (3.20.1) in our project. We decided a few weeks ago to use only LTS versions, as our product will be deployed to production soon.

We're encountering some security vulnerability issues (only medium for now), and the 3.20.1 version was released on May 13th. Our understanding of the policy for upgrading/backporting LTS versions is that a patch version is released every two months, as detailed in your documentation:

• https://github.com/quarkusio/quarkus/wiki/Releasing-LTS
• https://github.com/quarkusio/quarkus/wiki/3.20-LTS-Release-Planning
• https://github.com/quarkusio/quarkus/wiki/LTS-Release-Process

Our core question is: Does this policy remain the same in the event of a discovery of critical or high-severity security vulnerabilities?

Our company has a strong security policy requiring us to fix critical/high CVEs (those with a score > 8) within 7 days. We need to determine if we should adjust our policy regarding this topic. Specifically, would it be a better option for us to use (last) minor versions rather than solely relying on the latest LTS releases?

Thank you for your help. 🙏

Have a nice week-end.

[antoinedkt]

Well, after more research in your documentation/wiki/articles, I found this one : https://quarkus.io/blog/lts-cadence/#emergency-exceptions and I think it's clearly respond to our question. 🙂

[gsmet]

Yes, we try to stick to the 2 month release cadence but I confirm we have everything in place in our processes to trigger emergency releases.

They have four digits and it happened already with 3.15.3.1 and 3.8.6.1.

[antoinedkt]

Thanks for your answer @gsmet, we can therefore continue to use the LTS version. 🙏