Hi
I have CC'ed Thierry Carrez because he expressed an interest in
preparing a new upload on the Ubuntu side [1].
@Thierry Carrez: I was unsure if you were on this list so I have CC'ed
you directly to be sure you received this.
As some of you know (and as the subject suggested) I am working on an
update of tomcat6 package. My main interest was to add some OSGi to some
jar files in libservlet2.5-java; however, while I was at it I looked if
I could fix a couple of other bugs. This is when I noticed Thierry was
working on a separate upload in Ubuntu.
Since eclipse depends on these OSGi changes; I need them to propagate to
Ubuntu as well and figured I might as well try to please the developers
and users in both Debian and Ubuntu, while I was at it. However - I ran
into a couple of things I would like some more experienced people to
look at (see below).
I hope I can convince you, Thierry, to help us by committing/sending
your coming changes to our tomcat6 package repository/mailing them to
(e.g.) me and perhaps review the part below as well (particularly the
JVM_TMP issue).
JVM_TMP issue
=============
In Debian JVM_TMP was set to /tmp/tomcat6-tmp in the init script. I
suspect this is also the case in Ubuntu (at least nothing suggests that
it has been changed).
I changed this to /var/cache/$NAME (defaults to /var/cache/tomcat6
[expanded before reading any config files])[3]. However I noticed that
tomcat6's postrm script already deletes /var/cache/tomcat6; so should I
change it to another value (and if so - which)?
I also intend to change the default JVM_TMP value in
debian/tomcat6.default (I did not notice it before my commit).
(Build-)Depends - The remaining delta
=====================================
A comment in debian/tomcat6.default (and [2]) suggests that java5 could
actually be used to run tomcat6; though neither Debian nor Ubuntu uses
an alternative on java5 in their Depends. I presume this is because of
gcj failing to run tomcat properly in the past (e.g. LP: #251004) and
that gcj does not provide java6-runtime(-headless).
Comparing the 6.0.20-2ubuntu2 with the current Debian the only
differences I see (besides the Debian changes in -3 to -7) is that
Ubuntu uses default-{jdk,jre-headless} in (Build-)Depends. [Thierry: can
you please confirm this?]
I intended to adopt this in Debian as well. I am aware that
default-jre(-headless) is gcj on some archs, but
java6-runtime(-headless) is provided by default-jre(-headless) which
means that gcj has always been a valid alternative on those (and only
those) archs in Debian.
The question is whether we believe that gcj has improved in the past 9
months (since LP: #251004) to the level, where it should be allowed on
all other archs as well (by adding an alt on java5-runtime-java).
Other Bugs:
===========
** Debian **
I have selected (based on some black magic heuristic - more or less "if
reassigned from tomcat5 or bug number < 30000") a subset of the bugs
filed against tomcat6 that I believe should be addressed.
#299635: NAME definition in /etc/init.d/tomcat5
While I appreciate the idea I am not sure how to implement it (e.g. due
to symlinks in various runlevels). Also we have not replied to it for 4
years. I am not even sure that the submitter still needs it.
If no one has a suggestion or solution for this I will mark it "wontfix".
#294741: Foreign characters lost at start (Bad UTF-8 decoding)
This has been blindly reassigned from tomcat5 to tomcat6 when tomcat5
was removed. I grepped "AddDefaultCharset" in both the orig.tar.gz and
the debian side packaging and nothing matched. In fact I cannot find
"charset" in any file looking remotely like a conffile.
Based on this I intend to close this bug stating tomcat6 is not affected
by this unless any of you know anything else about this.
#493932: libtomcat5-java: Shared classes not searched, but ...
Also reassigned from tomcat5; however I do not know if tomcat6 is
affected by it.
#547202: Tomcat6 Debian Squeeze fails to find classes in provided ...
Claimed to be a regression on our part and Ubuntu (at least at that
time) was according to submitter not affected. I believe; I intend to
ping the submitter to hear if the current tomcat is still affected.
#369270: tomcat5-webapps: working servlet examples are different ...
I have no clue if tomcat6 is affected by this "carry over bug" - I do
not mind writing to the submitter and asking if he/she still experiences
the problem in case no one knows the answer to it.
** Ubuntu **
Bugs from Ubuntu I believe will be or could be easily fixed and that I
am considering to get into the next Debian upload.
LP: #375493: tomcat6 needs debug start mode with jpda
As promised Ludovic Claude added the change stated in comment#4. Thierry
- are you satisfied with the solution? If so - this bug can be closed
with a sync from Debian (though it is not mention in the changelog as a
bug closing change).
LP: #475457: Adding JSVC_CLASSPATH to /etc/default/tomcat6
I understand this is being working on and I see no reason not to include
the solution in Debian as well.
LP: #440685: Make it clearer that JAVA_OPTS is about JSVC options
Assuming this is just debian/tomcat6.default that needs the update; this
seems trivial to fix and I do not mind doing it.
LP: #410379: Tomcat security configuration error prevents proper ...
As I understand it; the solution appears to be granting permission to do
setContextClassLoader and openjdk6 is only unaffected because it lacks
some implementation on the SecurityManager area. However I am unsure
which policy file to add it to.
Thank you in advance,
~Niels
Notes:
======
[1] See LP: #475457
[2] http://tomcat.apache.org/migration.html
[3] To prevent cases where a local user could create a symlink and have
a directory removed with root level "rm -fr" next time tomcat6 was started.
[4] For CPL
http://lists.debian.org/debian-legal/2001/12/msg00141.html
and IBM PUBLIC LICENSE which is the original one
http://lists.debian.org/debian-legal/1999/06/msg00218.html
Also considering item 7 of
http://www.ibm.com/developerworks/library/os-cplfaq.html
we may be to distribute it under EPL 1.0 (though that might require a
confirmation from debian-legal)
[5]
http://wiki.debian.org/DFSGLicenses#CommonPublicLicense.28CPL.29.2CVersion1.0
Changes:
========
Done on the Debian side (in the VCS) so far:
tomcat6 (6.0.20-8) UNRELEASED; urgency=low
* Corrected some spelling mistakes in debian/control.
(Closes: #557377, #557378)
* Changed the default value for JVM_TMP in the init script
to avoid a security problem.
* Added patches to install the OSGi metadata in some of the jars.
(Closes: #558176)
Attachment:
signature.asc
Description: OpenPGP digital signature