johnjohndoe
commented
5 years ago As a side note: Square promised to at least apply security fixes to the 3.12.x branch and already did so.
Open simonpoole opened 5 years ago
johnjohndoe
commented
5 years ago As a side note: Square promised to at least apply security fixes to the 3.12.x branch and already did so.
simonpoole
commented
5 years ago As a side note: Square promised to at least apply security fixes to the 3.12.x branch and already did so.
Till the end of next year, which is not even believable, considering that they will have completely different code bases well before that.
swankjesse
commented
5 years ago OkHttp’s maintainers are grown up people and stand by our commitments to provide security fixes to the 3.12.x branch.
simonpoole
commented
5 years ago @swankjesse the grown up observation was coined because of the teenaged fanboying in the kotlin announcement.
As to the rest: as has already been pointed out to you, you are de-supporting at least 150'000'000 devices, including 1st and 2nd generation Android tablets that are running just fine, for no good reason.
Ecological reasons alone would be a reason not to do that.
And, btw, you don't have to take my word for it: the reason we noticed this in the first place, was because you were so kind to make a breaking change in a minor version and users, gosh using 4.1 and 4.4 devices, were experiencing crashes in the beta for our next release.
johnjohndoe
commented
3 years ago FYI: OkHttp has extended the backport deadline by one year: :cold_sweat:
... But because upgrading is difficult we will backport critical fixes to the 3.12.x branch through December 31, 2021. (This commitment was originally through December 31, 2020; we have since extended it.)
swankjesse
commented
3 years ago Yep. OkHttp 3.12.x isn’t going away in the same way that Android 4.4 isn’t going away. They both continue to work, and if you want to target devices with versions from 2010 you can do worse than to use an HTTP client library with a version from 2018.
If you are spending time making old devices work, please consider supporting TLSv1.2 on ’em. You can use Conscrypt or Google Play Services to do this. It’s a decent amount of work! But the upside is that the OpenStreetMap servers that these devices connect to will be able to require a TLS version from 2008. Stronger minimums of TLS versions creates real security for users and reduces operational costs of services.
Breaking backwards compatibility in a minor release was an indication that the library was becoming useless see https://medium.com/square-corner-blog/okhttp-3-13-requires-android-5-818bb78d07ce and https://github.com/square/okhttp/issues/4481 , by de-supporting > 10% of android devices it already implied that we are stuck on 3.12.
https://github.com/square/okhttp/issues/4723 puts the nail in the coffin (it is interesting how grown up people so easily fall for a google marketing ploy and even quote it in their reasoning), as it implies that there will be no security back ports once they have migrated to the newest fad.