Re: Tomcat 6 removal

To: Moritz Mühlenhoff <jmm@inutil.org>, tony mancill <tmancill@debian.org>
Cc: Debian Java <debian-java@lists.debian.org>, team@security.debian.org
Subject: Re: Tomcat 6 removal
From: Emmanuel Bourg <ebourg@apache.org>
Date: Wed, 29 Oct 2014 22:52:55 +0100
Message-id: <[🔎] 545161B7.7040802@apache.org>
In-reply-to: <[🔎] 20141029183531.GA3915@pisco.westfalen.local>
References: <[🔎] 5447A613.9030907@apache.org> <[🔎] 20141023202852.GA3084@pisco.westfalen.local> <[🔎] 5449C892.6090504@debian.org> <[🔎] 20141025134342.GA5187@pisco.westfalen.local> <[🔎] 544BCFDC.7020204@debian.org> <[🔎] 20141029183531.GA3915@pisco.westfalen.local>

Le 29/10/2014 19:35, Moritz Mühlenhoff a écrit :

> Given that dealing with 6/7 in wheezy is already problematic enough,
> having again two versions again in jessie is not feasible.

I've been around for only one year so I may not have a good overview of
the security issues with Tomcat, but from my experience the security
fixes are thoroughly documented by the upstream developers [1][2][3] and
backporting the patches isn't very difficult.

I admit the backporting can become more tedious as the code base ages,
that's why I was suggesting the last time we discussed this topic that
we do point release upgrades in stable. Starting with Tomcat 7 the
behavior of the server is verified by an extensive test suite, so this
operation is unlikely to cause severe regressions.

For example, if we ship Tomcat 8.0.14 in Jessie, we start by backporting
the security fixes, and one year later we upgrade it to the current
8.0.x version in testing (we pick a version that has been long enough in
testing to build confidence in its stability). I think that's a good
compromise between stability, security and maintainability.

What do you think?

Emmanuel Bourg

[1] http://tomcat.apache.org/security-6.html
[2] http://tomcat.apache.org/security-7.html
[3] http://tomcat.apache.org/security-8.html

Reply to:

References:
- Tomcat 6 removal
  - From: Emmanuel Bourg <ebourg@apache.org>
- Re: Tomcat 6 removal
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Tomcat 6 removal
  - From: tony mancill <tmancill@debian.org>
- Re: Tomcat 6 removal
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Tomcat 6 removal
  - From: tony mancill <tmancill@debian.org>
- Re: Tomcat 6 removal
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Re: Tomcat 6 removal
Next by Date: Bug#767326: ITP: user-agent-utils -- Utilities for processing user-agent strings
Previous by thread: Re: Tomcat 6 removal
Next by thread: Help for a new package
Index(es):
- Date
- Thread