Update the cross version guarantee to reflect the Java unbreaking changes.

protobuf-github-bot · copybara-github · commit 8fce3a07111d · 2025-10-07T14:55:44.000-07:00
PiperOrigin-RevId: 816390326
diff --git a/content/support/cross-version-runtime-guarantee.md b/content/support/cross-version-runtime-guarantee.md
@@ -7,10 +7,10 @@ type = "docs"
 
 <link rel="stylesheet" href="/includes/version-tables.css">
 
-Protobuf language bindings have two components. The generated code (typically
-produced from `protoc`) and the runtime libraries that must be included when
-using the generated code. When these come from different releases of protobuf,
-we are in a "cross version runtime" situation.
+Protobuf language bindings have two components. The generated code (gencode) and
+the runtime libraries that implement common functionality for that generated
+code. When these come from different releases of protobuf, we are in a "cross
+version runtime" situation.
 
 We intend to offer the following guarantees across most languages. These are the
 default guarantees; however, owners of protobuf code generators and runtimes may
@@ -38,18 +38,30 @@ gencode with an older runtime.
 
 ## Major Versions {#major}
 
-Starting with the 2025Q1 release, the protobuf project will adopt a rolling
-compatibility window for major versions. Code generated for a major version V
-(full version: V.x.y) will be supported by protobuf runtimes of version V and
-V+1.
+Protobuf implements sliding window compatibility for major versions. Code
+generated for a major version V (full version: V.x.y) will be supported by
+protobuf runtimes of major version V and V+1.
 
-Prior to this policy, code generated for 3.22.x+ (release ~1 year prior to major
-version 4) will still be supported by protobuf runtimes of version 3 and 4.
-Users with older gencode should upgrade to the latest gencode from 3.25.x.
+Protobuf will **not** support using gencode from version V with runtime &gt;=
+V+2 and will be using a "poison pill" mechanism to fail with a clear error
+message when a software assembly attempts to use such a configuration.
 
-Protobuf will not support using gencode from version V with runtime &gt;= V+2
-and will be using a "poison pill" mechanism to fail with a clear error message
-when a software assembly attempts to use such a configuration.
+For Example:
+
+*   Java code generated by protobuf version 3.0.0 will work with runtimes 3.0.0
+    to 4.x.y but **not** with runtimes 2.0.0 to 2.x.y or runtimes &gt;= 5.0.0.
+*   Java code generated by protobuf version 4.27.2 will work with runtimes
+    4.27.2 to 5.x.y but **not** runtimes 2.0.0 to 4.27.1 or runtimes &gt;= 6.0.0
+
+Exceptions may be made in case where compatibility with older gencode *cannot*
+be maintained, such as in the case of [security](#exception) fixes requiring
+updated gencode.
+
+**Note:** Poison pills were introduced in the protobuf 26.0 release. Java
+gencode older than 4.26.0 may *appear* to work with runtimes that are older than
+the gencode. However, the combination of
+[newer gencode and older runtime](#backwards) may have serious bugs that do not
+manifest until runtime.
 
 **Note:** [C++ and Rust](#cpp) do not support compatibility windows, and
 [Python](#python) supports much longer ones.
@@ -67,11 +79,11 @@ versions.
 We reserve the right to violate the above promises if needed for security
 reasons. We expect these exceptions to be rare, but will always prioritize
 security above these guarantees. For example,
-[footmitten](https://cve.report/CVE-2022-3510) required paired updates to both
-the runtime and the generated code for Java. As a result, code generated by
-3.20.3 (which contained the footmitten fix) would not load with runtime library
-3.21.6 (which predates the footmitten fix), creating the following compatibility
-matrix:
+[the footmitten CVE](https://cve.report/CVE-2022-3510) required paired updates
+to both the runtime and the generated code for Java. As a result, code generated
+by 3.20.3 (which contained the footmitten fix) would not load with runtime
+library 3.21.6 (which predates the footmitten fix), creating the following
+compatibility matrix:
 
 <table>
   <tr>
@@ -88,23 +100,23 @@ matrix:
     <td rowspan="4">Runtime<br>Version</td>
     <td class="gray">3.20.2</td>
     <td class="yellow">Vuln</td>
-    <td class="red"><b>Broken</b></td>
-    <td class="yellow"><b>Vuln</b></td>
-    <td class="red"><b>Broken</b></td>
+    <td class="red"><b>!Broken!</b></td>
+    <td class="yellow"><b>!Vuln!</b></td>
+    <td class="red"><b>!Broken!</b></td>
   </tr>
   <tr>
     <td class="gray">3.20.3</td>
     <td class="yellow">Vuln</td>
     <td class="green">Works</td>
-    <td class="yellow"><b>Vuln</b></td>
-    <td class="green"><b>Works?</b></td>
+    <td class="yellow"><b>!Vuln!</b></td>
+    <td class="green"><b>!Works?!</b></td>
   </tr>
   <tr>
     <td class="gray">3.21.6</td>
     <td class="yellow">Vuln</td>
     <td class="red">Broken</td>
     <td class="yellow">Vuln</td>
-    <td class="red"><b>Broken</b></td>
+    <td class="red"><b>!Broken!</b></td>
   </tr>
   <tr>
     <td class="gray">3.21.7</td>
@@ -120,8 +132,8 @@ matrix:
 *   “Works” indicates that the combination will successfully start and does not
     have the vulnerability.
 *   “Broken” indicates that the combination will not successfully start.
-*   **Bold** indicates configurations that were never deliberately intended to
-    function together given the guarantees outlined in this topic.
+*   **!Bold!** indicates configurations that mix newer gencode with older
+    runtime and were never intended to work together.
 
 ## No Coexistence of Multiple Major Runtime Versions {#coexist}
 
