On 10/25/2014 06:43 AM, Moritz Mühlenhoff wrote: > On Thu, Oct 23, 2014 at 08:33:38PM -0700, tony mancill wrote: >> On 10/23/2014 01:28 PM, Moritz Mühlenhoff wrote: >>> On Wed, Oct 22, 2014 at 02:41:55PM +0200, Emmanuel Bourg wrote: >>>> Hi all, >>>> >>>> I've just uploaded an update of the tomcat6 package that builds only the >>>> Servlet API (libservlet2.5-java) and no longer the server packages >>>> (tomcat6, libtomcat6-java, etc). So even if the src:tomcat6 package is >>>> still part of Jessie we won't have to support the security updates. >>>> >>>> This change will break two packages: >>>> - libjboss-remoting-java: removal pending with jbossas4 (#764250) >>>> - tomcat-maven-plugin: no rdeps, low popcon. To be removed or upgraded >>>> to the version 2.x to fix the build failure. >>>> >>>> All the other packages which were relying on tomcat6 have been updated >>>> to use tomcat7 or tomcat8. >>> >>> Thanks, but wasn't the outcome of the discussion in April "Subject: >>> Tomcat version for jessie" to only ship tomcat8? >>> >>> Cheers, >>> Moritz >>> >> >> Hello Moritz, >> >> Yes, this was discussed at one point. However, there was some >> subsequent discussion about this during DebConf and as part of this >> thread [1]. The conclusion from the Java Team is that tomcat7 is the >> right choice for users given the relative newness of tomcat8 and that it >> is currently under development. > > Ok, but then we should remove tomcat8 from testing, so that we don't have > two versions of Tomcat in stable again. As I understand it, the rationale for excluding tomcat8 would be to minimize the surface area for security updates. And maybe that's the right thing to air for from a security perspective, but I'm not sure that it's right for users. tomcat8 includes libraries that support the latest servlet and JSP specifications, so excluding it from jessie seems akin to telling users that "Debian stable is for running (this one version of) tomcat, but not for developing software." However, I'm no longer running or developing on tomcat like I used to, so I might have a skewed perspective on it. My aim is only to have that conversation in the open. It feels like we should include software in the distribution that is being widely used, or will be widely used during the lifetime of the release. Given the timing of jessie and the current state of tomcat7 (mature, stable, mainstream), tomcat8 (the canonical implementation of the next servlet spec), we should consider both. Regards, tony
Attachment:
signature.asc
Description: OpenPGP digital signature