Hi I have CC'ed Thierry Carrez because he expressed an interest in preparing a new upload on the Ubuntu side [1]. @Thierry Carrez: I was unsure if you were on this list so I have CC'ed you directly to be sure you received this. As some of you know (and as the subject suggested) I am working on an update of tomcat6 package. My main interest was to add some OSGi to some jar files in libservlet2.5-java; however, while I was at it I looked if I could fix a couple of other bugs. This is when I noticed Thierry was working on a separate upload in Ubuntu. Since eclipse depends on these OSGi changes; I need them to propagate to Ubuntu as well and figured I might as well try to please the developers and users in both Debian and Ubuntu, while I was at it. However - I ran into a couple of things I would like some more experienced people to look at (see below). I hope I can convince you, Thierry, to help us by committing/sending your coming changes to our tomcat6 package repository/mailing them to (e.g.) me and perhaps review the part below as well (particularly the JVM_TMP issue). JVM_TMP issue ============= In Debian JVM_TMP was set to /tmp/tomcat6-tmp in the init script. I suspect this is also the case in Ubuntu (at least nothing suggests that it has been changed). I changed this to /var/cache/$NAME (defaults to /var/cache/tomcat6 [expanded before reading any config files])[3]. However I noticed that tomcat6's postrm script already deletes /var/cache/tomcat6; so should I change it to another value (and if so - which)? I also intend to change the default JVM_TMP value in debian/tomcat6.default (I did not notice it before my commit). (Build-)Depends - The remaining delta ===================================== A comment in debian/tomcat6.default (and [2]) suggests that java5 could actually be used to run tomcat6; though neither Debian nor Ubuntu uses an alternative on java5 in their Depends. I presume this is because of gcj failing to run tomcat properly in the past (e.g. LP: #251004) and that gcj does not provide java6-runtime(-headless). Comparing the 6.0.20-2ubuntu2 with the current Debian the only differences I see (besides the Debian changes in -3 to -7) is that Ubuntu uses default-{jdk,jre-headless} in (Build-)Depends. [Thierry: can you please confirm this?] I intended to adopt this in Debian as well. I am aware that default-jre(-headless) is gcj on some archs, but java6-runtime(-headless) is provided by default-jre(-headless) which means that gcj has always been a valid alternative on those (and only those) archs in Debian. The question is whether we believe that gcj has improved in the past 9 months (since LP: #251004) to the level, where it should be allowed on all other archs as well (by adding an alt on java5-runtime-java). Other Bugs: =========== ** Debian ** I have selected (based on some black magic heuristic - more or less "if reassigned from tomcat5 or bug number < 30000") a subset of the bugs filed against tomcat6 that I believe should be addressed. #299635: NAME definition in /etc/init.d/tomcat5 While I appreciate the idea I am not sure how to implement it (e.g. due to symlinks in various runlevels). Also we have not replied to it for 4 years. I am not even sure that the submitter still needs it. If no one has a suggestion or solution for this I will mark it "wontfix". #294741: Foreign characters lost at start (Bad UTF-8 decoding) This has been blindly reassigned from tomcat5 to tomcat6 when tomcat5 was removed. I grepped "AddDefaultCharset" in both the orig.tar.gz and the debian side packaging and nothing matched. In fact I cannot find "charset" in any file looking remotely like a conffile. Based on this I intend to close this bug stating tomcat6 is not affected by this unless any of you know anything else about this. #493932: libtomcat5-java: Shared classes not searched, but ... Also reassigned from tomcat5; however I do not know if tomcat6 is affected by it. #547202: Tomcat6 Debian Squeeze fails to find classes in provided ... Claimed to be a regression on our part and Ubuntu (at least at that time) was according to submitter not affected. I believe; I intend to ping the submitter to hear if the current tomcat is still affected. #369270: tomcat5-webapps: working servlet examples are different ... I have no clue if tomcat6 is affected by this "carry over bug" - I do not mind writing to the submitter and asking if he/she still experiences the problem in case no one knows the answer to it. ** Ubuntu ** Bugs from Ubuntu I believe will be or could be easily fixed and that I am considering to get into the next Debian upload. LP: #375493: tomcat6 needs debug start mode with jpda As promised Ludovic Claude added the change stated in comment#4. Thierry - are you satisfied with the solution? If so - this bug can be closed with a sync from Debian (though it is not mention in the changelog as a bug closing change). LP: #475457: Adding JSVC_CLASSPATH to /etc/default/tomcat6 I understand this is being working on and I see no reason not to include the solution in Debian as well. LP: #440685: Make it clearer that JAVA_OPTS is about JSVC options Assuming this is just debian/tomcat6.default that needs the update; this seems trivial to fix and I do not mind doing it. LP: #410379: Tomcat security configuration error prevents proper ... As I understand it; the solution appears to be granting permission to do setContextClassLoader and openjdk6 is only unaffected because it lacks some implementation on the SecurityManager area. However I am unsure which policy file to add it to. Thank you in advance, ~Niels Notes: ====== [1] See LP: #475457 [2] http://tomcat.apache.org/migration.html [3] To prevent cases where a local user could create a symlink and have a directory removed with root level "rm -fr" next time tomcat6 was started. [4] For CPL http://lists.debian.org/debian-legal/2001/12/msg00141.html and IBM PUBLIC LICENSE which is the original one http://lists.debian.org/debian-legal/1999/06/msg00218.html Also considering item 7 of http://www.ibm.com/developerworks/library/os-cplfaq.html we may be to distribute it under EPL 1.0 (though that might require a confirmation from debian-legal) [5] http://wiki.debian.org/DFSGLicenses#CommonPublicLicense.28CPL.29.2CVersion1.0 Changes: ======== Done on the Debian side (in the VCS) so far: tomcat6 (6.0.20-8) UNRELEASED; urgency=low * Corrected some spelling mistakes in debian/control. (Closes: #557377, #557378) * Changed the default value for JVM_TMP in the init script to avoid a security problem. * Added patches to install the OSGi metadata in some of the jars. (Closes: #558176)
Attachment:
signature.asc
Description: OpenPGP digital signature