Re: Tomcat 6 removal

To: tony mancill <tmancill@debian.org>
Cc: Debian Java <debian-java@lists.debian.org>, team@security.debian.org
Subject: Re: Tomcat 6 removal
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Wed, 29 Oct 2014 19:35:31 +0100
Message-id: <[🔎] 20141029183531.GA3915@pisco.westfalen.local>
In-reply-to: <[🔎] 544BCFDC.7020204@debian.org>
References: <[🔎] 5447A613.9030907@apache.org> <[🔎] 20141023202852.GA3084@pisco.westfalen.local> <[🔎] 5449C892.6090504@debian.org> <[🔎] 20141025134342.GA5187@pisco.westfalen.local> <[🔎] 544BCFDC.7020204@debian.org>

On Sat, Oct 25, 2014 at 09:29:16AM -0700, tony mancill wrote:
> On 10/25/2014 06:43 AM, Moritz Mühlenhoff wrote:
> > On Thu, Oct 23, 2014 at 08:33:38PM -0700, tony mancill wrote:
> >> On 10/23/2014 01:28 PM, Moritz Mühlenhoff wrote:
> >>> On Wed, Oct 22, 2014 at 02:41:55PM +0200, Emmanuel Bourg wrote:
> >>>> Hi all,
> >>>>
> >>>> I've just uploaded an update of the tomcat6 package that builds only the
> >>>> Servlet API (libservlet2.5-java) and no longer the server packages
> >>>> (tomcat6, libtomcat6-java, etc). So even if the src:tomcat6 package is
> >>>> still part of Jessie we won't have to support the security updates.
> >>>>
> >>>> This change will break two packages:
> >>>> - libjboss-remoting-java: removal pending with jbossas4 (#764250)
> >>>> - tomcat-maven-plugin: no rdeps, low popcon. To be removed or upgraded
> >>>> to the version 2.x to fix the build failure.
> >>>>
> >>>> All the other packages which were relying on tomcat6 have been updated
> >>>> to use tomcat7 or tomcat8.
> >>>
> >>> Thanks, but wasn't the outcome of the discussion in April "Subject: 
> >>> Tomcat version for jessie" to only ship tomcat8?
> >>>
> >>> Cheers,
> >>>         Moritz
> >>>
> >>
> >> Hello Moritz,
> >>
> >> Yes, this was discussed at one point.  However, there was some
> >> subsequent discussion about this during DebConf and as part of this
> >> thread [1].  The conclusion from the Java Team is that tomcat7 is the
> >> right choice for users given the relative newness of tomcat8 and that it
> >> is currently under development.
> > 
> > Ok, but then we should remove tomcat8 from testing, so that we don't have
> > two versions of Tomcat in stable again.
> 
> As I understand it, the rationale for excluding tomcat8 would be to
> minimize the surface area for security updates. And maybe that's the
> right thing to air for from a security perspective, but I'm not sure
> that it's right for users.
> 
> tomcat8 includes libraries that support the latest servlet and JSP
> specifications, so excluding it from jessie seems akin to telling users
> that "Debian stable is for running (this one version of) tomcat, but not
> for developing software."

Anyone developing can install a backport or run testing/unstable.

Given that dealing with 6/7 in wheezy is already problematic enough,
having again two versions again in jessie is not feasible.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: Tomcat 6 removal
  - From: Emmanuel Bourg <ebourg@apache.org>

References:
- Tomcat 6 removal
  - From: Emmanuel Bourg <ebourg@apache.org>
- Re: Tomcat 6 removal
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Tomcat 6 removal
  - From: tony mancill <tmancill@debian.org>
- Re: Tomcat 6 removal
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Tomcat 6 removal
  - From: tony mancill <tmancill@debian.org>

Prev by Date: Java questions on debian-mentors
Next by Date: Re: Tomcat 6 removal
Previous by thread: Re: Tomcat 6 removal
Next by thread: Re: Tomcat 6 removal
Index(es):
- Date
- Thread