Re: Tomcat version for jessie
Le 28/04/2014 13:22, Moritz Muehlenhoff a écrit :
> Hi,
> I noticed that tomcat8 was uploaded into sid. We still have tomcat6 and tomcat7 in
> jessie, can we remove these so that there's only one update that needs to be security-
> supported?
(cc-ing debian-java)
Hi Moritz,
There are several factors to consider:
* tomcat8 is still in beta but is likely to be declared stable for Jessie.
* tomcat6 is still supported upstream, I asked upstream how long it
would last [1] and it is expected to be EOLed in 2016.
* tomcat7 is still less popular than tomcat6 according to popcon [2]. In
Ubuntu tomcat6 has 10x more installs than tomcat7.
I think it would be a good idea to remove tomcat6 from Jessie. The
source package should remain though to provide the libservlet2.5-java
package (still used by 64 packages).
tomcat7 will be supported much longer. For Jessie I'd like to suggest
packaging the upstream releases instead of backporting the patches to
ease the security support work. Tomcat 7 is mature and has an extensive
test suite unlike Tomcat 6. It's less likely to receive changes
affecting its stability during the Jessie life cycle.
Emmanuel Bourg
[1] http://markmail.org/thread/dh2h3z2y2y5n2f3x
[2]
http://qa.debian.org/popcon-graph.php?packages=tomcat6+tomcat7&show_installed=on&want_legend=on&want_ticks=on&from_date=&to_date=&hlght_date=&date_fmt=%25Y-%25m&beenhere=1
Reply to: