Re: Guidance on tomcat8 update for (LTS) jessie
On 2018-06-25 18:40:06, Roberto C. Sánchez wrote:
> Security Team & Tomcat Maintainers,
> I began working on a jessie LTS update for tomcat8 and sought some
> guidance from Markus Koschany, as he prepared a tomact7 update recently.
> He pointed out that the tomcat8 package in jessie is based on the 8.0.x
> upstream relases, which will reach EOL on 30th June. He further
> recommended that I consider updating the tomcat8 package in jessie to
> the 8.5.x series.
> After some quick investigating I found that the current tomcat8 packages
> in Debian are based on the following upstream releases:
> stretch -> 8.5.14
> buster -> 8.5.31
> sid -> 8.5.32 (latest upstream release)
> It doesn't make sense to advance tomcat8 in jessie to a newer release
> that what is in stretch. However, it is also not a workable solution to
> have an unsupported tomcat release in jessie.
> There appear to be the following possible courses of action:
> - Backport patches to the 8.0.14-based packages in jessie
> + this is potentially high risk, especially since after EOL upstream
> will no longer check new CVEs for applicability to the 8.0.x releaes
> nor will they make any effort to appky fixes to that branch
> - Update the tomcat8 in jessie using the stretch 8.5.14-1+deb9u2
> packages as a starting point
> - Update the tomcat8 in jessie to be based on the latest upstream 8.5.32
> + This does not seem to make much sense unless the same is done for
> stretch, a user would otherwise then end up with the stretch package
> masked in a jessie -> stretch distribution upgrade because of the
> jessie package having a higher version that the stretch package
> + The upgrade version anomally could be avoided by using a package
> version like 8.0.14-2+really8.5.32, but that would still result in
> users actually downgrading
> I am curious as to whether there is a plan to bring tomcat8 in stretch
> in line with the latest 8.5.x upstream release. If not, then what is
> the recommendation for how to proceed here?
As an outsider not very familiar with Tomcat, I guess the main question
I would like to answer before figuring this out would be what kind of
compatibility garantees does Tomcat provide between versions. If it
respects semver conventions, a 8.0 -> 8.5 update might be
non-destructive and actually beneficial to our users.
Once that is done, we need to figure out what to do with stretch and
buster. The latter will most likely sync up with upstream's latest
through regular unstable transitions, but how about stretch? Is there
any compelling reason why it's not following upstream minor releases?
We've used that process (following semver + upstream more closely on
stable) to update packages like PHP in the past and it served us well,
so I wonder if that would be the same situation... In that case, this
would be a matter of, as you say, sync stretch to jessie, then update
stretch, and sync jessie again.
Otherwise, I would consider syncing jessie with stretch unless there are
compelling compatibility issues between 8.0 and 8.5. I can research that
further if necessary.